CVE-2025-21159

High

Published: 11 February 2025

Published

11 February 2025

Modified

03 March 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0009 25.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Illustrator versions 29.1, 28.7.3 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Summary

CVE-2025-21159 is a Use After Free vulnerability (CWE-416) affecting Adobe Illustrator versions 29.1, 28.7.3, and earlier. The flaw occurs in the software and could result in arbitrary code execution in the context of the current user, with exploitation requiring user interaction such that a victim must open a malicious file.

The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Local attackers with low complexity can exploit it by tricking users into opening a specially crafted malicious file, achieving high-impact arbitrary code execution, confidentiality, integrity, and availability compromises under the privileges of the affected user.

Adobe's security bulletin APSB25-11 details the issue and recommends applying the available patches, as outlined at https://helpx.adobe.com/security/products/illustrator/apsb25-11.html.

Details

CWE(s): CWE-416

Affected Products

adobe

illustrator

28.0 — 28.7.4 · 29.0 — 29.2.1

References

https://helpx.adobe.com/security/products/illustrator/apsb25-11.html
Vendor Advisory · psirt@adobe.com