CVE-2026-34690: Adobe After Effects RCE Vulnerability

CVE-2026-34690 Overview

CVE-2026-34690 is a stack-based buffer overflow vulnerability [CWE-121] affecting Adobe After Effects versions 26.0, 25.6.4, and earlier. Successful exploitation allows arbitrary code execution in the context of the current user. The vulnerability impacts both Windows and macOS installations of After Effects.

Exploitation requires user interaction. A victim must open a malicious project file crafted by an attacker. Adobe published security advisory APSB26-48 documenting the issue and providing fixed versions.

Critical Impact
Attackers can achieve arbitrary code execution in the context of the current user when a victim opens a malicious After Effects file on a vulnerable installation.

Affected Products

Adobe After Effects 26.0 and earlier
Adobe After Effects 25.6.4 and earlier
Installations on Microsoft Windows and Apple macOS

Discovery Timeline

2026-05-12 - CVE-2026-34690 published to the National Vulnerability Database
2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-34690

Vulnerability Analysis

The vulnerability is classified as a stack-based buffer overflow [CWE-121] in Adobe After Effects. After Effects writes data beyond the bounds of a fixed-size buffer allocated on the stack while parsing attacker-controlled file content. The overflow corrupts adjacent stack memory, including saved return addresses and frame pointers.

An attacker controlling the overflow contents can redirect execution flow. The result is arbitrary code execution within the security context of the user running After Effects. Because After Effects is typically launched by interactive desktop users, the attacker inherits the user's privileges, file system access, and network reachability.

The EPSS probability for in-the-wild exploitation stands at 0.008% as of 2026-05-17. No public proof-of-concept exploit and no CISA Known Exploited Vulnerabilities listing exist at the time of publication.

Root Cause

The root cause is insufficient bounds checking when parsing structured input from project or media files loaded by After Effects. A length or count field embedded in the file is trusted without validation against the destination stack buffer size. Copying the attacker-supplied bytes into the undersized buffer overwrites adjacent stack frames.

Attack Vector

The attack vector is local and requires user interaction. An attacker delivers a malicious After Effects file through email, a shared project repository, a download link, or a removable drive. When the victim opens the file in a vulnerable After Effects build, the parser triggers the overflow and executes attacker-supplied shellcode.

No authentication is required on the target system beyond the user's existing interactive session. Privileges gained equal those of the user, which on many creative workstations include local administrator rights.

No verified public exploit code is available. See the Adobe Security Advisory APSB26-48 for vendor technical details.

Detection Methods for CVE-2026-34690

Indicators of Compromise

Unexpected child processes spawned by AfterFX.exe on Windows or After Effects.app on macOS, particularly command shells, powershell.exe, cmd.exe, bash, or osascript.
After Effects process crashes or abnormal terminations logged in Windows Application Event Log or macOS unified logs immediately after opening a project file.
Outbound network connections originating from the After Effects process to unfamiliar hosts shortly after a file open event.
Newly created executables, scripts, or scheduled tasks written by the After Effects process to user-writable directories.

Detection Strategies

Hunt for process lineage anomalies where After Effects spawns interpreters, scripting hosts, or living-off-the-land binaries.
Alert on After Effects writing to autorun locations such as HKCU\Software\Microsoft\Windows\CurrentVersion\Run or macOS LaunchAgents directories.
Inspect endpoint telemetry for stack corruption indicators including unhandled exceptions in AfterFX.exe followed by suspicious memory allocations.

Monitoring Recommendations

Inventory installed After Effects versions across creative endpoints and flag builds at or below 26.0 and 25.6.4.
Monitor file-open telemetry for After Effects project files (.aep, .aepx) arriving from external email or shared storage.
Forward endpoint process, file, and network telemetry to a centralized data lake for retrospective hunting against this CVE.

How to Mitigate CVE-2026-34690

Immediate Actions Required

Apply the fixed Adobe After Effects builds identified in advisory APSB26-48 to every Windows and macOS workstation running After Effects.
Restrict opening of After Effects project files received from untrusted sources until patches are deployed.
Remove local administrator rights from accounts that routinely run After Effects to limit post-exploitation impact.

Patch Information

Adobe released fixed versions through security advisory APSB26-48. Administrators should consult the Adobe Security Advisory APSB26-48 for the exact patched version numbers and download locations. Update through the Adobe Creative Cloud desktop client or through enterprise deployment tooling.

Workarounds

Block inbound delivery of After Effects project files (.aep, .aepx) at email and web gateways for users who do not require them.
Open untrusted project files only inside isolated virtual machines without network access or sensitive data.
Enforce application allowlisting so that processes spawned by After Effects cannot launch unauthorized binaries.

bash

# Verify installed After Effects version on macOS
/usr/bin/mdls -name kMDItemVersion "/Applications/Adobe After Effects 2026/Adobe After Effects 2026.app"

# Verify installed After Effects version on Windows (PowerShell)
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" |
  Where-Object { $_.DisplayName -like "Adobe After Effects*" } |
  Select-Object DisplayName, DisplayVersion