Description
InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-06-09
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read in Adobe InDesign Desktop allows a memory disclosure when a malicious file is opened. The flaw can expose confidential data stored in memory. The vulnerability is classified as CWE‑125 and is triggered only when the victim opens a crafted document, so the attacker cannot influence the read without user interaction.

Affected Systems

Adobe InDesign Desktop, versions 21.3, 20.5.3 and all older releases are affected. The issue originates from the file‑parsing component that does not correctly bound‑check a memory buffer when processing certain document types.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate risk. No EPSS score is available and the flaw is not listed in the CISA KEV catalog, suggesting limited exploitation data to date. However, because the attack requires opening a file, it is most likely to be used in malware or phishing campaigns where a user is tricked into opening a malicious document. The need for user interaction lowers the likelihood of widespread exploitation, but it remains a valid threat for environments that process untrusted files.

Generated by OpenCVE AI on June 9, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe InDesign Desktop update that includes the out‑of‑bounds read fix.
  • Do not open documents from untrusted or unknown sources.
  • Configure the application to disable automatic opening of files or enforce strict file type validation.

Generated by OpenCVE AI on June 9, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe indesign Desktop
Vendors & Products Adobe
Adobe indesign Desktop

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title InDesign Desktop | Out-of-bounds Read (CWE-125)
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Adobe Indesign Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T18:41:55.687Z

Reserved: 2026-03-30T17:30:36.498Z

Link: CVE-2026-34705

cve-icon Vulnrichment

Updated: 2026-06-09T18:41:52.613Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T18:16:42.833

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-34705

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:30:17Z

Weaknesses