Adobe February 2026 Security Updates Explained
What Was Fixed, What Matters Most, and How to Prioritize Patching
On February 10, 2026, Adobe released a coordinated set of security updates covering nine different products across Creative Cloud, Substance 3D, and developer tooling. While Adobe labeled every bulletin as Priority 3, a closer look tells a very different story.
This update cycle includes multiple arbitrary code execution vulnerabilities, many rooted in classic memory safety issues like out-of-bounds access, use-after-free bugs, and improper input validation. These are the kinds of flaws attackers love because they are reliable, powerful, and often triggered by opening or previewing files.
This post breaks down:
- How many bulletins were released
- Which products carry the most risk
- Which CVEs matter most
- A practical patch priority table you can actually use
At a glance: how big was this update?
- 9 Adobe security bulletins
- 44 total CVEs
- 27 critical vulnerabilities
- A strong concentration of memory corruption issues
- No known exploitation in the wild at time of release
Even without active exploitation, the volume and severity alone make this a patch cycle worth paying attention to.
Why “Priority 3” doesn’t tell the full story
Adobe’s priority rating reflects exploitability and context, not just severity. Many of these issues:
- Require local access
- Require user interaction (opening a file, loading a project)
That said, local + user interaction still describes a huge portion of real-world attacks, especially in creative environments where users routinely open files from external sources.
In practice, arbitrary code execution is arbitrary code execution, and several of these products process complex, untrusted data by design.
Patch priority table with CVEs
In total, Adobe addressed 44 CVEs in this release. The table below highlights the critical and highest-risk vulnerabilities that drive patch priority.
Adobe February 10, 2026 – Patch Priority Table
| Priority | Product | Bulletin | Critical CVEs | CVE IDs | Primary Risk |
|---|---|---|---|---|---|
| P1 – Patch immediately | Adobe After Effects | APSB26-15 | 13 | CVE-2026-21318, 21320–21330, 21351 | Arbitrary code execution |
| P1 – Patch immediately | Substance 3D Stager | APSB26-20 | 5 | CVE-2026-21341–21345 | Arbitrary code execution |
| P1 – Patch immediately | Adobe Bridge | APSB26-21 | 2 | CVE-2026-21346, 21347 | Arbitrary code execution |
| P1 – Patch immediately | Lightroom Classic (Windows) | APSB26-06 | 1 | CVE-2026-21349 | Arbitrary code execution |
| P1 – Patch immediately | Adobe DNG SDK | APSB26-23 | 2 | CVE-2026-21352, 21353 | Arbitrary code execution |
| P2 – Patch soon | Substance 3D Designer | APSB26-19 | 2 | CVE-2026-21334, 21335 | Code execution, memory exposure |
| P2 – Patch soon | Adobe Audition | APSB26-14 | 1 | CVE-2026-21312 | Code execution |
| P2 – Patch soon | Adobe InDesign | APSB26-17 | 1 | CVE-2026-21357 | Code execution |
| P3 – Patch when convenient | Substance 3D Modeler | APSB26-22 | 0 | CVE-2026-21348 | Memory exposure |
The most critical products, explained
Adobe After Effects (APSB26-15)
This is the clear outlier. With 13 critical CVEs, nearly all leading to arbitrary code execution, After Effects represents the largest and most complex attack surface in this release. The bugs span out-of-bounds access, use-after-free, integer overflow, and type confusion.
If you only patch one thing immediately, make it this.
Substance 3D Stager and Adobe Bridge
Both products handle rich media and assets automatically. Bridge, in particular, parses previews and metadata simply by browsing directories. That lowers the bar for exploitation and makes its two critical CVEs more concerning than the number alone suggests.
Lightroom Classic (Windows)
This bulletin contains a single CVE, but it is a straight out-of-bounds write leading to code execution. Image processing libraries are a classic attack vector, and Lightroom runs on machines that often have access to valuable data.
Adobe DNG SDK
This one is easy to underestimate. It’s not an end-user app, but an SDK embedded into other software and services. Two critical CVEs were reported by Google Project Zero, which is usually a strong signal of exploitability. Any product that bundles this SDK inherits the risk.
Lower-risk does not mean no-risk
Substance 3D Modeler is the least severe bulletin in this cycle, with a single memory exposure issue and no code execution. That makes it a reasonable candidate for deferred patching, but not for ignoring entirely.
Final takeaway
This Adobe release may look routine at first glance, but it’s actually a heavy memory-safety patch cycle, especially for media-heavy applications.
If you want a simple rule:
- Patch P1 products immediately
- Patch P2 products in your next maintenance window
- Patch P3 when convenient