Skip to content
Threat Feed
high threat

CVE-2026-34643: Adobe After Effects Out-of-Bounds Write Vulnerability

Adobe After Effects versions 26.0, 25.6.4, and earlier are susceptible to an out-of-bounds write vulnerability, potentially leading to arbitrary code execution when a user opens a malicious file.

Adobe After Effects versions 26.0, 25.6.4, and older are vulnerable to an out-of-bounds write vulnerability (CVE-2026-34643). This flaw could allow an attacker to execute arbitrary code within the context of the currently logged-on user. Successful exploitation requires a user to open a specially crafted, malicious file using the affected version of After Effects. The vulnerability poses a significant risk to users who handle files from untrusted sources, as it could lead to system compromise.

Attack Chain

  1. Attacker crafts a malicious After Effects project file (.aep) designed to trigger an out-of-bounds write.
  2. The attacker delivers the malicious .aep file to a victim, likely through email or file sharing.
  3. The victim opens the malicious .aep file using a vulnerable version of Adobe After Effects (26.0, 25.6.4, or earlier).
  4. After Effects processes the crafted file, leading to the out-of-bounds write condition during parsing.
  5. The out-of-bounds write corrupts memory, potentially overwriting critical data structures.
  6. The attacker leverages the memory corruption to inject and execute arbitrary code.
  7. The injected code executes within the context of the After Effects process, inheriting the user’s privileges.
  8. The attacker gains control of the system, enabling them to perform actions such as installing malware, stealing data, or further compromising the network.

Impact

Successful exploitation of CVE-2026-34643 allows for arbitrary code execution on the victim’s system. This can result in complete system compromise, data theft, malware installation, and further propagation of the attack within an organization. Given the popularity of After Effects in creative industries, a successful attack could have widespread consequences.

Recommendation

  • Upgrade to a version of Adobe After Effects that is not affected by CVE-2026-34643.
  • Exercise caution when opening After Effects project files (.aep) from untrusted sources, as exploitation requires user interaction.
  • Monitor process creation events for suspicious child processes spawned by After Effects using process creation logs to detect potential exploitation, as outlined in the provided Sigma rules.
  • Consider implementing application control policies to restrict the execution of unauthorized code within the After Effects process.

Detection coverage 2

Detect CVE-2026-34643 Exploitation Attempt — Suspicious Child Processes of After Effects

high

Detects CVE-2026-34643 exploitation attempt — monitors for suspicious child processes spawned by After Effects, which could indicate arbitrary code execution following an out-of-bounds write.

sigma tactics: execution techniques: T1059.001, T1059.003, T1059.005, T1566.001 sources: process_creation, windows

Detect CVE-2026-34643 Exploitation Attempt — Network Connection from After Effects

medium

Detects CVE-2026-34643 exploitation attempt — monitors for network connections initiated by After Effects, which could indicate C2 activity after arbitrary code execution.

sigma tactics: command_and_control techniques: T1071.001, T1566.001 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →