EUVD-2026-22652
GHSA-wp47-6c9c-57m5
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
AnalysisAI
Heap-based buffer overflow in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier enables arbitrary code execution with high integrity and confidentiality impact when users open specially crafted malicious files. No public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must open a malicious file in Adobe InDesign Desktop versions 20.5.2, 21.2, or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate despite the 7.8 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious InDesign document exploiting the heap overflow vulnerability and distributes it via spear-phishing email to graphic designers at a target publishing company, disguised as a legitimate client project file or template. When a victim opens the weaponized .indd file in their vulnerable InDesign Desktop installation, the malformed data triggers the heap-based buffer overflow during document parsing, corrupting memory structures and hijacking execution flow to attacker-supplied shellcode embedded in the file. … |
| Remediation | Users should immediately update Adobe InDesign Desktop to the patched versions specified in Adobe Security Bulletin APSB26-32 available at https://helpx.adobe.com/security/products/indesign/apsb26-32.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all InDesign Desktop installations and identify users running versions 20.5.2, 21.2, or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier allows attackers to run code as the logged-i
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs when a user opens a maliciously craft
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier stems from a use-after-free condition trigge
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs via a heap-based buffer overflow (CWE
Share
External POC / Exploit Code
Leaving vuln.today