Description
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-04-14
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

A heap-based buffer overflow on Adobe InDesign Desktop allows an attacker to read portions of the process memory that may contain sensitive data. The flaw arises from an unchecked memory operation that can be triggered when a malicious file is opened, leading to unintended exposure of private information. This vulnerability is classified as CWE-122.

Affected Systems

Adobe InDesign Desktop versions 20.5.2, 21.2 and all earlier releases are vulnerable. Users running any of these releases should verify their current installation and determine whether an upgrade is required.

Risk and Exploitability

The CVSS score is 5.5, indicating moderate severity, and the EPSS score is unavailable. The vulnerability is not listed in the KEV catalog. Exploitation requires user interaction: a victim must open a crafted file, implying a social‑engineering or malicious file delivery attack vector. Given the constraints, the risk is moderate but still warrants timely remediation.

Generated by OpenCVE AI on April 14, 2026 at 20:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Adobe InDesign to the latest available version that contains the security fix.
  • If an immediate update is not possible, avoid opening files from untrusted sources or disable automatic opening of files when receiving email attachments.

Generated by OpenCVE AI on April 14, 2026 at 20:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe indesign Desktop
Vendors & Products Adobe
Adobe indesign Desktop

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title InDesign Desktop | Heap-based Buffer Overflow (CWE-122)
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Adobe Indesign Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-14T19:37:43.093Z

Reserved: 2026-02-18T22:02:41.395Z

Link: CVE-2026-27286

cve-icon Vulnrichment

Updated: 2026-04-14T19:35:43.900Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-14T17:16:48.357

Modified: 2026-04-15T16:14:07.857

Link: CVE-2026-27286

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:30:06Z

Weaknesses