Skip to main content

Indesign Desktop CVE-2026-27286

| EUVD-2026-22442 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-04-14 adobe GHSA-r9v7-9p75-jjw3
Buffer Overflow Heap Overflow Indesign Desktop
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 18:49 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:00 euvd
EUVD-2026-22442
Analysis Generated
Apr 14, 2026 - 17:00 vuln.today
CVE Published
Apr 14, 2026 - 16:45 nvd
MEDIUM 5.5

DescriptionCVE.org

InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

AnalysisAI

Heap-based buffer overflow in Adobe InDesign Desktop versions 21.2 and earlier allows local attackers to disclose sensitive information from memory without authentication, requiring only user interaction to open a malicious file. The vulnerability has a CVSS score of 5.5 with high confidentiality impact but no integrity or availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious InDesign file
Delivery
Deliver via email or web
Exploit
Victim opens file in InDesign
Execution
Trigger heap buffer overflow in parser
Persist
Read adjacent heap memory
Impact
Exfiltrate sensitive data
Sign in to reveal

Vulnerability AssessmentAI

Risk Assessment While the CVSS score of 5.5 is moderate, the real-world risk is elevated by several factors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious InDesign document (.indd file) that triggers a heap buffer overflow during parsing, corrupting heap memory and exposing adjacent allocated objects. The attacker delivers this file via email phishing or watering-hole attack, convincing a designer or publisher to open it in InDesign Desktop 21.2 or earlier. …
Remediation Users must upgrade InDesign Desktop to a patched version released after 21.2. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48293 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier allows attackers to run code as the logged-i
CVE-2026-34695 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs when a user opens a maliciously craft
CVE-2026-34696 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier stems from a use-after-free condition trigge
CVE-2026-34697 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow
CVE-2026-34698 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs via a heap-based buffer overflow (CWE

Share

CVE-2026-27286 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy