Description
InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-06-09
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap-based buffer overflow exists in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier. The flaw can be triggered by loading a specially crafted file, allowing an attacker to overwrite memory and execute arbitrary code in the context of the current user. The weakness is a heap-based buffer overflow (CWE-122) and could lead to full compromise of the targeted workstation, including data theft, ransomware, or persistence mechanisms.

Affected Systems

Adobe InDesign Desktop is affected when installed with versions 21.3, 20.5.3 or older. Any deployment of these versions that processes external files is potentially vulnerable. Systems running newer releases are not known to be impacted.

Risk and Exploitability

The CVSS score of 7.8 indicates a high risk. Because exploitation requires the user to open a malicious file, the attack vector is user interaction. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation remains uncertain, yet the potential impact warrants immediate attention.

Generated by OpenCVE AI on June 9, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check installed InDesign versions and compare against the latest Adobe security release notes.
  • Download and install the latest cumulative update for InDesign Desktop that addresses the heap-based buffer overflow.
  • Implement a policy to block or quarantine unknown or untrusted InDesign files until they can be verified by antivirus or sandbox tools.

Generated by OpenCVE AI on June 9, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title InDesign Desktop | Heap-based Buffer Overflow (CWE-122)
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T17:43:56.799Z

Reserved: 2026-03-30T17:30:36.498Z

Link: CVE-2026-34701

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T18:16:41.830

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-34701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T22:15:15Z

Weaknesses