CVE-2026-34703 - Vulnerability Details

- InDesign Desktop | NULL Pointer Dereference (CWE-476)

Description

InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published: 2026-06-09

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability arises from a null pointer dereference that can crash the InDesign Desktop application. An attacker can cause the software to terminate, resulting in a denial-of-service for the affected user. The flaw resides in memory handling of file input, as indicated by the CWE-476 classification. The documented impact is the loss of service for the application; no arbitrary code execution or data exfiltration is reported.

Affected Systems

Adobe InDesign Desktop versions 21.3, 20.5.3 and all earlier releases are impacted. Any installation of these builds that processes user-specified files may be vulnerable.

Risk and Exploitability

The CVSS score of 5.5 positions this vulnerability as moderate. Its EPSS is not available and it is not listed in the CISA KEV catalog, indicating a lower frequency of observed exploitation. However, the attack requires the victim to open a malicious file, so the likelihood of exploitation depends on user behavior. The typical exploitation path involves the user opening a crafted file, triggering the null dereference and causing the application to crash; no privilege escalation or data compromise is required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Adobe

InDesign Desktop

affected

Version	Status	Constraints
`0`	affected	≤ 20.5.3

Configuration 1 [-]

AND

OR	cpe:2.3:a:adobe:indesign::::::::
	cpe:2.3:a:adobe:indesign::::::::

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Adobe

Indesign Desktop

100%

Version	Status	Scheme	Platform
`[0,20.5.3]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the Adobe InDesign Desktop update that addresses the null pointer dereference
Restrict or disable automatic opening of untrusted files and enforce user confirmation before processing
Limit user privileges for opening external files or run InDesign in a sandboxed environment to contain crashes

Generated by OpenCVE AI on June 9, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0013.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://helpx.adobe.com/security/products/indesign/apsb26-58.html

History

Wed, 10 Jun 2026 13:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe indesign Apple Apple macos Microsoft Microsoft windows
CPEs		cpe:2.3:a:adobe:indesign:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Adobe indesign Apple Apple macos Microsoft Microsoft windows

Wed, 10 Jun 2026 01:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe Adobe indesign Desktop
Vendors & Products		Adobe Adobe indesign Desktop

Tue, 09 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 09 Jun 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title		InDesign Desktop \| NULL Pointer Dereference (CWE-476)
Weaknesses		CWE-476
References		https://helpx.adobe.com/security/products/indesign/apsb26-58.html
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}`

Subscriptions

Adobe Indesign Indesign Desktop

Apple Macos

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2026-06-09T17:43:52.520Z

Updated: 2026-06-09T18:58:30.310Z

Reserved: 2026-03-30T17:30:36.498Z

Link: CVE-2026-34703

Vulnrichment

Updated: 2026-06-09T18:58:25.477Z

NVD

Status : Analyzed

Published: 2026-06-09T18:16:42.333

Modified: 2026-06-10T13:01:22.350

Link: CVE-2026-34703

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T01:30:17Z

Weaknesses

CWE-476
NULL Pointer Dereference

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object