Description
InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-06-09
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap‑based buffer overflow in Adobe InDesign Desktop allows an attacker to execute arbitrary code within the context of the user opening a malicious document. The vulnerability can lead to compromise of confidentiality, integrity, and availability of the affected system, as the attacker gains the same privileges as the victim user. This weakness is identified as CWE‑122.

Affected Systems

Adobe InDesign Desktop versions 21.3, 20.5.3, and earlier are affected.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, and the EPSS score is not available, meaning the current exploitation likelihood cannot be quantified; the vulnerability is not listed in CISA’s KEV catalog. Attackers need the victim to open a crafted file, indicating that the primary attack vector is user‑initiated file execution. If the malicious document is opened, arbitrary code execution can occur with the victim’s privileges.

Generated by OpenCVE AI on June 9, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe InDesign update that addresses the heap overflow
  • Configure InDesign or the host system to only open files from trusted sources or disabling auto‑open of unknown documents
  • Run InDesign in a sandboxed or least‑privileged user context to limit the potential impact of an exploit

Generated by OpenCVE AI on June 9, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe indesign Desktop
Vendors & Products Adobe
Adobe indesign Desktop

Tue, 09 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title InDesign Desktop | Heap-based Buffer Overflow (CWE-122)
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Indesign Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-10T03:59:41.856Z

Reserved: 2026-03-30T17:30:36.498Z

Link: CVE-2026-34699

cve-icon Vulnrichment

Updated: 2026-06-09T18:36:53.748Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T18:16:41.327

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-34699

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T03:00:10Z

Weaknesses