{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21288", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2025-12-12T22:01:18.190Z", "datePublished": "2026-01-13T18:41:20.363Z", "dateUpdated": "2026-01-13T19:02:39.353Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Illustrator", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "30.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2026-01-13T17:00:00.000Z", "descriptions": [{"lang": "en", "value": "Illustrator versions 29.8.3, 30.0 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 5.5, "environmentalSeverity": "MEDIUM", "exploitCodeMaturity": "NOT_DEFINED", "integrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 5.5, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "NULL Pointer Dereference (CWE-476)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-01-13T18:41:20.363Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://helpx.adobe.com/security/products/illustrator/apsb26-03.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Illustrator | NULL Pointer Dereference (CWE-476)"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T19:02:11.646654Z", "id": "CVE-2026-21288", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T19:02:39.353Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21288", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-13T19:02:11.646654Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T19:02:31.815Z"}}], "cna": {"title": "Illustrator | NULL Pointer Dereference (CWE-476)", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modifiedScope": "UNCHANGED", "temporalScore": 5.5, "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "MEDIUM", "availabilityImpact": "HIGH", "environmentalScore": 5.5, "privilegesRequired": "NONE", "exploitCodeMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "LOCAL", "confidentialityImpact": "NONE", "environmentalSeverity": "MEDIUM", "availabilityRequirement": "NOT_DEFINED", "modifiedIntegrityImpact": "NONE", "modifiedUserInteraction": "REQUIRED", "modifiedAttackComplexity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAvailabilityImpact": "HIGH", "modifiedPrivilegesRequired": "NONE", "modifiedConfidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Adobe", "product": "Illustrator", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "30.0"}], "defaultStatus": "affected"}], "datePublic": "2026-01-13T17:00:00.000Z", "references": [{"url": "https://helpx.adobe.com/security/products/illustrator/apsb26-03.html", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Illustrator versions 29.8.3, 30.0 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "NULL Pointer Dereference (CWE-476)"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-01-13T18:41:20.363Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21288", "state": "PUBLISHED", "dateUpdated": "2026-01-13T19:02:39.353Z", "dateReserved": "2025-12-12T22:01:18.190Z", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "datePublished": "2026-01-13T18:41:20.363Z", "assignerShortName": "adobe"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:illustrator:*:*:*:*:*:*:*:*", "matchCriteriaId": "51DBEB22-5A04-40DC-BF47-0A6711977FBA", "versionEndExcluding": "29.8.4", "versionStartIncluding": "29.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:illustrator:30.0:*:*:*:*:*:*:*", "matchCriteriaId": "7239093D-0266-4AFA-BA6C-94F6593E0B4B", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Illustrator versions 29.8.3, 30.0 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "id": "CVE-2026-21288", "lastModified": "2026-01-14T19:29:14.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "psirt@adobe.com", "type": "Primary"}]}, "published": "2026-01-13T19:16:26.173", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/illustrator/apsb26-03.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "psirt@adobe.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:34:51.752776+00:00", "value": {"mitigation_remediation": ["Install the latest Adobe Illustrator update that resolves the NULL pointer dereference issue.", "Avoid opening unknown or suspicious files; verify source authenticity before loading into Illustrator.", "When possible, run Illustrator in a sandboxed or virtualized environment to contain crashes and protect other work."], "summary": {"action": "Update Illustrator", "impact": "Denial of Service (application crash)"}, "threat_synthesis": {"affected_systems": "The issue affects Adobe Illustrator versions 29.8.3, 30.0, and all earlier releases on Windows and macOS platforms. No specific operating\u2011system version is required beyond those where Illustrator runs. The vulnerability is tied to the Adobe Illustrator application, not the underlying OS.", "description_and_impact": "This vulnerability is a NULL Pointer Dereference identified as CWE-476 that can cause Adobe Illustrator to crash when processing a specially crafted file. A crash results in a denial\u2011of\u2011service within the application, preventing the user from continuing work and potentially disrupting dependent workflows. The flaw does not provide code execution or privilege escalation but can be leveraged to interrupt productivity.", "risk_and_exploitability": "The CVSS base score of 5.5 indicates moderate severity. EPSS shows a very low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker must provide a malicious file to a user who then opens it, so the vector relies on user interaction. While the risk of spontaneous exploitation is low, the potential for targeted attacks in environments where users frequently handle unknown files heightens concern."}}}}, "created": "2026-01-14T11:07:49.256713+00:00", "updated": "2026-04-18T06:45:23.959932+00:00", "vendors": ["adobe", "adobe$PRODUCT$illustrator"]}