Description
InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-06-09
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

InDesign Desktop is vulnerable because of a Use After Free error that can enable an attacker to run arbitrary code in the context of the user opening a specially crafted file. The flaw exists in version 21.3, 20.5.3, and earlier releases.

Affected Systems

Adobe InDesign Desktop, versions 21.3, 20.5.3 and all older releases.

Risk and Exploitability

The vulnerability has a CVSS score of 7.8, indicating a high severity. The EPSS score is not available, so the current exploitation probability is unknown, and the issue is not listed in the CISA KEV catalog. Exploitation requires the victim to open a malicious file, so the attack vector is local user interaction. Successful exploitation would give the attacker arbitrary code execution as the current user, potentially allowing further escalation or system compromise.

Generated by OpenCVE AI on June 9, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security update for Adobe InDesign Desktop as detailed in the Adobe advisory (https://helpx.adobe.com/security/products/indesign/apsb26-58.html).
  • If updating is not immediately possible, prevent the opening of untrusted or unknown files by configuring InDesign preferences to block or require user confirmation for external file types.
  • Deploy monitoring for anomalous execution behavior or unexpected privilege changes that could indicate exploitation of this flaw.

Generated by OpenCVE AI on June 9, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe indesign
Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:indesign:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe indesign
Apple
Apple macos
Microsoft
Microsoft windows

Wed, 10 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe indesign Desktop
Vendors & Products Adobe
Adobe indesign Desktop

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title InDesign Desktop | Use After Free (CWE-416)
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Indesign Indesign Desktop
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-10T03:59:44.152Z

Reserved: 2026-03-30T17:30:36.497Z

Link: CVE-2026-34696

cve-icon Vulnrichment

Updated: 2026-06-09T18:14:53.480Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T18:16:40.513

Modified: 2026-06-10T13:01:02.680

Link: CVE-2026-34696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:30:05Z

Weaknesses