CVE-2026-34696 - Vulnerability Details

Description

InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published: 2026-06-09

Score: 7.8 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

InDesign Desktop is vulnerable because of a Use After Free error that can enable an attacker to run arbitrary code in the context of the user opening a specially crafted file. The flaw exists in version 21.3, 20.5.3, and earlier releases.

Affected Systems

Adobe InDesign Desktop, versions 21.3, 20.5.3 and all older releases.

Risk and Exploitability

The vulnerability has a CVSS score of 7.8, indicating a high severity. The EPSS score is not available, so the current exploitation probability is unknown, and the issue is not listed in the CISA KEV catalog. Exploitation requires the victim to open a malicious file, so the attack vector is local user interaction. Successful exploitation would give the attacker arbitrary code execution as the current user, potentially allowing further escalation or system compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Adobe

InDesign Desktop

affected

Version	Status	Constraints
`0`	affected	≤ 20.5.3

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the security update for Adobe InDesign Desktop as detailed in the Adobe advisory (https://helpx.adobe.com/security/products/indesign/apsb26-58.html).
If updating is not immediately possible, prevent the opening of untrusted or unknown files by configuring InDesign preferences to block or require user confirmation for external file types.
Deploy monitoring for anomalous execution behavior or unexpected privilege changes that could indicate exploitation of this flaw.

Generated by OpenCVE AI on June 9, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://helpx.adobe.com/security/products/indesign/apsb26-58.html

History

Tue, 09 Jun 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title		InDesign Desktop \| Use After Free (CWE-416)
Weaknesses		CWE-416
References		https://helpx.adobe.com/security/products/indesign/apsb26-58.html
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2026-06-09T17:43:53.419Z

Updated: 2026-06-09T18:15:23.078Z

Reserved: 2026-03-30T17:30:36.497Z

Link: CVE-2026-34696

Vulnrichment

No data.

NVD

Status : Undergoing Analysis

Published: 2026-06-09T18:16:40.513

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-34696

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T21:15:05Z

Weaknesses

CWE-416

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34696", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2026-03-30T17:30:36.497Z", "datePublished": "2026-06-09T17:43:53.419Z", "dateUpdated": "2026-06-09T18:15:23.078Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "InDesign Desktop", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "20.5.3", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2026-06-09T17:00:00.000Z", "descriptions": [{"lang": "en", "value": "InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 7.8, "environmentalSeverity": "HIGH", "exploitCodeMaturity": "NOT_DEFINED", "integrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "HIGH", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 7.8, "temporalSeverity": "HIGH", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "Use After Free (CWE-416)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-06-09T17:43:53.419Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://helpx.adobe.com/security/products/indesign/apsb26-58.html"}], "source": {"discovery": "EXTERNAL"}, "title": "InDesign Desktop | Use After Free (CWE-416)"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-09T18:12:51.384872Z", "id": "CVE-2026-34696", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-09T18:15:23.078Z"}}]}}

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object