Adobe Fixes 40+ Vulnerabilities Across Its Creative Software Portfolio

Adobe has released a sweeping set of security updates as part of its February 2026 Patch Tuesday, addressing a total of 44 vulnerabilities across widely used creative and digital imaging applications. The fixes, disclosed through nine separate security advisories, target products that are staples in professional media production, design, and photography workflows.

According to Adobe, the vulnerabilities were discovered and responsibly reported by external security researchers. While none of the flaws are known to have been exploited in the wild, a significant portion of them are considered serious due to their potential impact if abused.

Critical Code Execution Risks Mitigated

More than two dozen of the patched vulnerabilities were classified by Adobe as critical because they could allow arbitrary code execution. Such flaws typically enable attackers to run malicious code on a victim’s system, potentially leading to data theft, malware installation, or full system compromise.

Despite the critical classification, Adobe noted that the issues received high—rather than critical—Common Vulnerability Scoring System (CVSS) ratings, suggesting that exploitation would likely require specific conditions, such as convincing a user to open a specially crafted file.

The affected products include:

Audition
After Effects
InDesign Desktop
Bridge
Lightroom Classic
DNG Software Development Kit (SDK)
Substance 3D Designer
Substance 3D Stager
Substance 3D Modeler

File-parsing vulnerabilities—common in media-heavy applications—remain a frequent attack vector, especially in environments where users routinely exchange project files from external or untrusted sources.

Additional Memory and Denial-of-Service Issues

Beyond the code execution flaws, Adobe also resolved a number of important-severity vulnerabilities. These issues, rated as medium severity under CVSS, include memory exposure bugs and denial-of-service (DoS) conditions. While less dangerous than remote code execution, such flaws can still be leveraged to crash applications, disrupt workflows, or leak sensitive information from memory.

In enterprise and creative studio settings, even non-critical vulnerabilities can carry operational risk, particularly when exploited as part of chained attacks or used to degrade availability in production environments.

No Active Exploitation Observed

Adobe stated that it is not aware of any active exploitation of the vulnerabilities addressed in this update. All advisories were assigned a priority rating of 3, indicating that the company believes the likelihood of imminent attacks is low.

This assessment aligns with broader Patch Tuesday trends observed by vulnerability monitoring organizations, which note that attackers typically prioritize flaws in operating systems, browsers, and widely exposed network services before targeting specialized creative software.

A majority of the vulnerabilities patched in this release were credited to researchers operating under the online aliases “Yjdfy” and “Voidexploit.” Their disclosures highlight the continued role of independent researchers and bug reporting programs in strengthening the security of commercial software.

Update Recommended Despite Low Risk

The lack of known exploitation does not eliminate risk. Administrators are strongly advised to patch immediately, especially for applications that process complex file formats. Creative professionals, enterprises, and managed service providers must deploy updates without delay. Creative professionals, enterprises, and managed service providers are encouraged to apply the updates as soon as practical to reduce long-term exposure.

Adobe’s February Patch Tuesday underscores a familiar security reality: even highly specialized software used primarily by creative professionals remains part of the broader threat landscape and benefits from consistent vulnerability research and rapid remediation.

Read Adobe’s Advisory HERE

Microsoft also released its February 2026 Patch Tuesday which Fixes 50+ Vulnerabilities, Including 6 Zero-Day Flaws