Description
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-04-14
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier suffer an out‑of‑bounds write that allows a malicious document to corrupt memory and execute code with the privileges of the user who opens the file. The flaw originates from improper bounds checking during parsing of certain file formats. Successful exploitation can lead to arbitrary code execution, providing the attacker full control over the affected system in the context of the compromised user.

Affected Systems

Affected are Adobe InDesign Desktop releases 20.5.2, version 21.2 and any earlier builds. These versions are included in the 2026 Adobe product suite and are deployed in creative studios and graphic design environments.

Risk and Exploitability

The CVSS base score of 7.8 indicates a high severity. EPSS data is not reported, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires user interaction: the victim must open a specially crafted InDesign file. As the flaw is triggered during file parsing, the likely attack vector is a malicious document or a file embedded in a phishing email. Given the user‑interaction prerequisite, the risk is medium to high for individuals who frequently open unknown design files.

Generated by OpenCVE AI on April 14, 2026 at 18:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe InDesign Desktop to the latest version or apply the vendor‑issued patch that addresses the out‑of‑bounds write
  • If an immediate update is unavailable, refrain from opening untrusted InDesign files until the update is applied
  • Consider disabling automatic file opening or implementing sandboxing for InDesign to limit the impact of any potential exploitation

Generated by OpenCVE AI on April 14, 2026 at 18:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe indesign Desktop
Vendors & Products Adobe
Adobe indesign Desktop

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title InDesign Desktop | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Indesign Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-15T03:58:31.384Z

Reserved: 2026-02-18T22:02:41.395Z

Link: CVE-2026-27291

cve-icon Vulnrichment

Updated: 2026-04-14T19:39:38.994Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-14T17:16:48.507

Modified: 2026-04-15T16:14:07.857

Link: CVE-2026-27291

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:30:06Z

Weaknesses