Skip to main content

Adobe InDesign Desktop CVE-2026-34701

| EUVD-2026-35784 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-06-09 adobe GHSA-2vq7-33x9-h9x9
Heap Overflow Buffer Overflow RCE Indesign Desktop
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 18:55 vuln.today

DescriptionCVE.org

InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

AnalysisAI

Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier occurs through a heap-based buffer overflow triggered when a victim opens a maliciously crafted file. The flaw runs code in the security context of the current user and requires user interaction, with no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious InDesign document
Delivery
Deliver file via email or shared storage
Exploit
Victim opens file in InDesign
Execution
Trigger heap-based buffer overflow in parser
Persist
Hijack control flow to shellcode
Impact
Execute arbitrary code as current user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to manually open an attacker-supplied malicious file in a vulnerable Adobe InDesign Desktop installation (version 21.3, 20.5.3, or earlier), and the attacker must be able to deliver that file to the victim through a channel they trust (email attachment, shared drive, downloaded asset pack). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H yields 7.8 (High) and accurately reflects a client-side file-parsing bug: local attack vector with required user interaction (opening a malicious document), no privileges needed, and full confidentiality/integrity/availability impact in the user's context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious InDesign document containing a malformed structure that triggers the heap overflow and delivers it to a target designer via email, a shared cloud folder, or a fake client brief on a freelancer marketplace. When the victim opens the file in a vulnerable InDesign Desktop build, the overflow corrupts the heap and executes attacker-controlled shellcode as the logged-in user, enabling credential theft, lateral movement, or deployment of follow-on malware. …
Remediation The primary remediation is to apply the patched InDesign Desktop builds released by Adobe in security bulletin APSB26-58 (https://helpx.adobe.com/security/products/indesign/apsb26-58.html); upgrade installations running 21.3, 20.5.3, or earlier to the corresponding fixed versions listed there via the Creative Cloud desktop app. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Adobe InDesign Desktop installations documenting affected versions (21.3, 20.5.3 and earlier); alert design and marketing teams to avoid opening .indd/.idml files from external or untrusted sources; disable file preview for InDesign documents in operating system settings. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48293 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier allows attackers to run code as the logged-i
CVE-2026-34695 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs when a user opens a maliciously craft
CVE-2026-34696 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier stems from a use-after-free condition trigge
CVE-2026-34697 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow
CVE-2026-34698 HIGH
7.8 Jun 09

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs via a heap-based buffer overflow (CWE

Share

CVE-2026-34701 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy