Description
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-04-14
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

InDesign Desktop versions 20.5.2, 21.2, and earlier contain a heap‑based buffer overflow that allows an attacker to execute code with the victim’s user privileges. The flaw arises when the software processes a specially crafted document, giving the attacker the ability to run arbitrary code. This weakness is classified as CWE‑122, and the vulnerability requires the victim to open a malicious file.

Affected Systems

Adobe InDesign Desktop is affected. Users running versions 20.5.2, 21.2, or any prior release are vulnerable. No other Adobe products are listed as impacted in this advisory.

Risk and Exploitability

The CVSS base score of 7.8 indicates a high severity. Since the exploit requires the victim to open a malicious file, the attack vector is local user interaction. The absence of an EPSS score leaves the exact likelihood uncertain, but the high CVSS implies that if a suitable file is delivered, an attacker can achieve code execution. The vulnerability is not listed in the CISA KEV catalog, and no automated exploits have been reported publicly.

Generated by OpenCVE AI on April 14, 2026 at 18:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe InDesign Desktop update that addresses CVE‑2026‑27238.
  • If a patch is unavailable, restrict users from opening unknown InDesign files and educate them about the risk of opening unsolicited documents.

Generated by OpenCVE AI on April 14, 2026 at 18:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe indesign Desktop
Vendors & Products Adobe
Adobe indesign Desktop

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title InDesign Desktop | Heap-based Buffer Overflow (CWE-122)
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Indesign Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-15T03:58:36.317Z

Reserved: 2026-02-18T22:02:41.382Z

Link: CVE-2026-27238

cve-icon Vulnrichment

Updated: 2026-04-14T19:40:03.277Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-14T17:16:47.717

Modified: 2026-04-15T16:14:07.857

Link: CVE-2026-27238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:30:06Z

Weaknesses