Description
InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-06-09
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from a null pointer dereference that can crash the InDesign Desktop application. An attacker can cause the software to terminate, resulting in a denial-of-service for the affected user. The flaw resides in memory handling of file input, as indicated by the CWE-476 classification. The documented impact is the loss of service for the application; no arbitrary code execution or data exfiltration is reported.

Affected Systems

Adobe InDesign Desktop versions 21.3, 20.5.3 and all earlier releases are impacted. Any installation of these builds that processes user-specified files may be vulnerable.

Risk and Exploitability

The CVSS score of 5.5 positions this vulnerability as moderate. Its EPSS is not available and it is not listed in the CISA KEV catalog, indicating a lower frequency of observed exploitation. However, the attack requires the victim to open a malicious file, so the likelihood of exploitation depends on user behavior. The typical exploitation path involves the user opening a crafted file, triggering the null dereference and causing the application to crash; no privilege escalation or data compromise is required.

Generated by OpenCVE AI on June 9, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Adobe InDesign Desktop update that addresses the null pointer dereference
  • Restrict or disable automatic opening of untrusted files and enforce user confirmation before processing
  • Limit user privileges for opening external files or run InDesign in a sandboxed environment to contain crashes

Generated by OpenCVE AI on June 9, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title InDesign Desktop | NULL Pointer Dereference (CWE-476)
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T18:58:30.310Z

Reserved: 2026-03-30T17:30:36.498Z

Link: CVE-2026-34703

cve-icon Vulnrichment

Updated: 2026-06-09T18:58:25.477Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T18:16:42.333

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-34703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T21:15:05Z

Weaknesses