Skip to main content

Adobe Creative Cloud Desktop EUVDEUVD-2026-44492

| CVE-2026-48344 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-07-14 adobe GHSA-q3wj-mx7q-rfv9
7.8
CVSS 3.1 · Vendor: adobe
Share

Severity by source

Vendor (adobe) PRIMARY
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local unprivileged user must win a non-deterministic TOCTOU race (AV:L, PR:L, AC:H); winning yields full code execution across a privilege boundary (S:C, C/I/A:H).

3.1 AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (adobe).

CVSS VectorVendor: adobe

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 21:17 vuln.today
CVE Published
Jul 14, 2026 - 20:21 cve.org
HIGH 7.8

DescriptionCVE.org

Creative Cloud Desktop is affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction. Scope is changed.

AnalysisAI

Local privilege escalation to arbitrary code execution affects the Adobe Creative Cloud Desktop application through a Time-of-check Time-of-use (TOCTOU) race condition, letting a low-privileged local attacker execute code and - because the CVSS scope is changed - impact resources beyond the initial security context. No user interaction is required, but the race is hard to win: exploitation depends on conditions beyond the attacker's control, reflected in the high attack complexity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged local account
Delivery
Launch process racing Adobe privileged helper
Exploit
Swap resource in TOCTOU window
Execution
Win race to redirect privileged operation
Persist
Execute arbitrary code in elevated context
Impact
Cross scope boundary to escalate privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires local access with an existing low-privileged account on a host running Adobe Creative Cloud Desktop (AV:L/PR:L), and it requires winning a TOCTOU timing race against a Creative Cloud Desktop privileged operation - the description explicitly states the exploit 'depends on conditions beyond the attacker's control,' which is the concrete limiting factor and the reason for AC:H. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.8 (High) with vector AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H, meaning local access and existing low privileges are required, no user interaction is needed, and successful exploitation yields full confidentiality, integrity, and availability impact across a scope boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged user (or malware already running under a standard user account) on a machine with Creative Cloud Desktop installed runs a program that repeatedly manipulates a file or path used by Adobe's privileged helper, racing to substitute an attacker-controlled resource between the app's check and its use. If the timing window is won, the attacker's code executes in the elevated context, escalating from standard user to higher privilege. …
Remediation Patch available per Adobe advisory APSB26-77 (https://helpx.adobe.com/security/products/creative-cloud/apsb26-77.html) - update Creative Cloud Desktop to the fixed version listed there (exact build not present in the supplied data; confirm the patched version from the bulletin before deployment). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit all systems running Adobe Creative Cloud Desktop and document business-critical deployments; contact Adobe support to confirm patch timeline. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44492 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy