Description
InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-01-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Patch ASAP
AI Analysis

Impact

InDesign Desktop is vulnerable to an access of uninitialized pointer flaw that can be exploited to execute arbitrary code with the privileges of the currently logged‑in user. The vulnerability requires the user to open a specially crafted file, after which the program can run arbitrary instructions in the user’s context.

Affected Systems

Adobe InDesign Desktop versions 21.0, 19.5.5 and all earlier releases are affected. The issue applies to installations on macOS, Windows, and other operating systems where the desktop application runs.

Risk and Exploitability

The flaw carries a CVSS score of 7.8, indicating high severity. The EPSS score is less than 1 %, suggesting that exploitation is unlikely but still possible. Because the CVE is not listed in the CISA KEV catalog, no active exploit traffic has been reported. An attacker would need to convince a user to open a malicious file, making it a user‑interaction vulnerability. If executed, the attacker gains the privileges of the user who performed the file open, potentially allowing tampering with files, execution of further malware, or escalation within the system.

Generated by OpenCVE AI on April 18, 2026 at 06:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe InDesign Desktop update that removes the uninitialized pointer bug.
  • If a patch is not yet available, refrain from opening files with extensions such as .idml, .ifd from unknown or untrusted sources.
  • Use file‑type restrictions or content filtering to block malicious file types from being executed or opened by InDesign.

Generated by OpenCVE AI on April 18, 2026 at 06:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:indesign:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Microsoft
Microsoft windows

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe indesign
Vendors & Products Adobe
Adobe indesign

Tue, 13 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
Description InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title InDesign Desktop | Access of Uninitialized Pointer (CWE-824)
Weaknesses CWE-824
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Indesign
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T15:04:16.177Z

Reserved: 2025-12-12T22:01:18.188Z

Link: CVE-2026-21276

cve-icon Vulnrichment

Updated: 2026-01-13T19:06:45.480Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T19:16:25.200

Modified: 2026-01-14T19:28:06.030

Link: CVE-2026-21276

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:45:23Z

Weaknesses