Description
InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-06-09
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap-based buffer overflow exists in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier. The flaw can be triggered by loading a specially crafted file, allowing an attacker to overwrite memory and execute arbitrary code in the context of the current user. The weakness is a heap-based buffer overflow (CWE-122) and could lead to full compromise of the targeted workstation, including data theft, ransomware, or persistence mechanisms.

Affected Systems

Adobe InDesign Desktop is affected when installed with versions 21.3, 20.5.3 or older. Any deployment of these versions that processes external files is potentially vulnerable. Systems running newer releases are not known to be impacted.

Risk and Exploitability

The CVSS score of 7.8 indicates a high risk. Because exploitation requires the user to open a malicious file, the attack vector is user interaction. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation remains uncertain, yet the potential impact warrants immediate attention.

Generated by OpenCVE AI on June 9, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check installed InDesign versions and compare against the latest Adobe security release notes.
  • Download and install the latest cumulative update for InDesign Desktop that addresses the heap-based buffer overflow.
  • Implement a policy to block or quarantine unknown or untrusted InDesign files until they can be verified by antivirus or sandbox tools.

Generated by OpenCVE AI on June 9, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe indesign
Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:indesign:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe indesign
Apple
Apple macos
Microsoft
Microsoft windows

Wed, 10 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe indesign Desktop
Vendors & Products Adobe
Adobe indesign Desktop

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title InDesign Desktop | Heap-based Buffer Overflow (CWE-122)
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Indesign Indesign Desktop
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-10T10:08:24.150Z

Reserved: 2026-03-30T17:30:36.498Z

Link: CVE-2026-34701

cve-icon Vulnrichment

Updated: 2026-06-10T10:08:19.493Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T18:16:41.830

Modified: 2026-06-10T13:01:17.190

Link: CVE-2026-34701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:15:16Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow