Adobe has released a comprehensive set of security updates as part of its February 2026 Patch Tuesday, addressing a total of 44 vulnerabilities across widely used creative and digital imaging applications.
The fixes were disclosed through nine separate security advisories and target products integral to professional media production, design, and photography workflows. External security researchers discovered and reported the vulnerabilities.
Adobe has stated that none of the flaws are known to have been exploited in active attacks.
Critical Code Execution Risks Mitigated
More than two dozen of the patched vulnerabilities were classified as critical. These flaws could potentially allow arbitrary code execution, which may enable attackers to run malicious code on a victim’s system.
Adobe noted that these issues received high Common Vulnerability Scoring System (CVSS) ratings. However, while significant, they were not rated as critical in all aspects, suggesting exploitation would likely require specific conditions, such as a user opening a specially crafted file.
Affected products include:
- Audition
- After Effects
- InDesign Desktop
- Bridge
- Lightroom Classic
- DNG Software Development Kit (SDK)
- Substance 3D Designer
- Substance 3D Stager
- Substance 3D Modeler
File-parsing vulnerabilities are frequently observed attack vectors in media-heavy applications, particularly where users exchange project files from external or untrusted sources.
Additional Memory and Denial-of-Service Issues
Beyond code execution flaws, Adobe also resolved several important-severity vulnerabilities. These issues, rated as medium severity under CVSS, include memory exposure bugs and denial-of-service (DoS) conditions. Such flaws could lead to application crashes, workflow disruptions, or the leakage of sensitive information from memory.
No Active Exploitation Observed
Adobe assigned a priority rating of 3 to all advisories, indicating a low likelihood of imminent attacks. This aligns with observations that attackers typically prioritize vulnerabilities in operating systems and browsers before specialized creative software.
A majority of the vulnerabilities were credited to researchers operating under the online aliases “Yjdfy” and “Voidexploit.”
Immediate Update Recommendation
Despite the absence of known exploitation, administrators are advised to apply patches immediately. Creative professionals, enterprises, and managed service providers are encouraged to deploy the updates as soon as practical to mitigate long-term exposure. The updates underscore the need for consistent vulnerability research and rapid remediation in specialized software.