Description
InDesign Desktop versions 21.1, 20.5.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial-of-Service (application crash)
Action: Assess Impact
AI Analysis

Impact

A heap-based buffer overflow can cause Adobe InDesign Desktop to crash, leading to a denial-of-service condition for the user. The flaw is accessed through a malicious file and requires user interaction to trigger it. As the crash terminates the application, an attacker can disrupt the user’s workflow but cannot gain elevated privileges or execute arbitrary code.

Affected Systems

Adobe InDesign Desktop versions 21.1, 20.5.1 and all earlier releases on macOS and Windows are affected. Users of these operating systems running the vulnerable InDesign variants are at risk if they open untrusted files.

Risk and Exploitability

The CVSS score of 5.5 classifies the vulnerability as moderate, and the EPSS score of less than 1% indicates a very low probability of exploitation. The issue is not listed in CISA’s KEV catalog, suggesting limited public exploitation. The attack vector is user interaction; an attacker must craft a malicious InDesign file and convince or trick a victim into opening it, after which the application will crash and cause service disruption.

Generated by OpenCVE AI on April 17, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe InDesign Desktop security update once released.
  • Verify file sources and avoid opening unknown or suspicious InDesign files.
  • Enable logging for application crashes and review logs for repeated crash events.

Generated by OpenCVE AI on April 17, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe indesign Desktop
Vendors & Products Adobe indesign Desktop

Wed, 11 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe indesign
Apple
Apple macos
Microsoft
Microsoft windows
Weaknesses CWE-787
CPEs cpe:2.3:a:adobe:indesign:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe
Adobe indesign
Apple
Apple macos
Microsoft
Microsoft windows

Tue, 10 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description InDesign Desktop versions 21.1, 20.5.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title InDesign Desktop | Heap-based Buffer Overflow (CWE-122)
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe Indesign Indesign Desktop
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-10T19:00:39.217Z

Reserved: 2025-12-12T22:01:18.206Z

Link: CVE-2026-21358

cve-icon Vulnrichment

Updated: 2026-02-10T19:00:34.739Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:32.857

Modified: 2026-02-11T18:28:40.647

Link: CVE-2026-21358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses