Description
InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-01-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution in the context of the current user
Action: Patch Immediately
AI Analysis

Impact

Adobe InDesign Desktop versions 21.0, 19.5.5 and earlier contain a heap‑based buffer overflow that can be triggered by opening a specially crafted file. The flaw can be exploited to execute arbitrary code with the privileges of the user who opens the file, leading to full compromise of the victim’s system.

Affected Systems

Adobe InDesign Desktop running on macOS or Windows, versions 21.0, 19.5.5 and earlier are affected. Users with these or older releases should verify their installation and consider upgrading.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.8, indicating high severity, while the EPSS score is below 1% and it is currently not listed in CISA’s KEV catalog. Exploitation requires user interaction – the victim must open a malicious file, so phishing or social engineered file delivery represent likely attack vectors. The issue is grounded in CWE‑122 and CWE‑787 weaknesses and remains potentially exploitable on both macOS and Windows platforms.

Generated by OpenCVE AI on April 18, 2026 at 06:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Adobe InDesign Desktop release that fixes the vulnerability.
  • Disable or limit automatic opening of unknown or untrusted file formats and use content filtering or antivirus scanning for attachments.
  • Apply application sandboxing or other runtime isolation techniques to reduce the impact if the flaw is somehow exploited.

Generated by OpenCVE AI on April 18, 2026 at 06:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Microsoft
Microsoft windows
Weaknesses CWE-787
CPEs cpe:2.3:a:adobe:indesign:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Microsoft
Microsoft windows

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe indesign
Vendors & Products Adobe
Adobe indesign

Tue, 13 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
Description InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title InDesign Desktop | Heap-based Buffer Overflow (CWE-122)
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Indesign
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T15:04:15.298Z

Reserved: 2025-12-12T22:01:18.188Z

Link: CVE-2026-21277

cve-icon Vulnrichment

Updated: 2026-01-13T19:03:16.851Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T19:16:25.370

Modified: 2026-01-14T19:28:10.860

Link: CVE-2026-21277

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:45:23Z

Weaknesses