Description
InCopy versions 21.3, 20.5.3 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-06-09
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe InCopy versions 21.3, 20.5.3 and all earlier releases contain a stack‑based buffer overflow that an attacker can trigger by providing a specially crafted file. The overflow can overwrite return addresses on the call stack, enabling the execution of arbitrary code in the context of the current user. The vulnerability does not require special privilege or network connectivity, so its impact is limited to the account that opens the malicious file, but it still allows an attacker to compromise local integrity and confidentiality by running arbitrary programs.

Affected Systems

Adobe InCopy products, specifically version 21.3, version 20.5.3 and any earlier release. No other Adobe applications are affected according to the current advisory.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity. The attack vector is user interaction: a victim must open a malicious file, which limits exploitability to social engineering or drive‑by attacks. The EPSS score is not available, but the lack of a KEV listing suggests no widespread exploitation has been observed yet. Nevertheless, because the flaw enables arbitrary code execution, the potential damage—including data theft, modification, or local denial of service—is significant if the victim is a privileged user.

Generated by OpenCVE AI on June 9, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Adobe’s latest security update for InCopy that removes the buffer overflow vulnerability
  • Configure Adobe InCopy or network policy to block opening of untrusted or unfamiliar files, and install an application firewall to monitor executable code injections
  • Adopt principle of least privilege: run InCopy under a user account with minimal rights and use operating‑system sandboxing features to isolate the application from critical system components

Generated by OpenCVE AI on June 9, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description InCopy versions 21.3, 20.5.3 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title InCopy | Stack-based Buffer Overflow (CWE-121)
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T18:33:33.691Z

Reserved: 2026-03-30T17:30:36.498Z

Link: CVE-2026-34708

cve-icon Vulnrichment

Updated: 2026-06-09T18:33:29.794Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T18:16:43.580

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-34708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:15:07Z

Weaknesses