Cyber Resilience

CVE-2026-21276

High

Published: 13 January 2026

Published
13 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21276 is a high-severity Access of Uninitialized Pointer (CWE-824) vulnerability in Adobe Indesign. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-21276 is an Access of Uninitialized Pointer vulnerability (CWE-824) affecting Adobe InDesign Desktop versions 21.0, 19.5.5, and earlier. This flaw allows arbitrary code execution in the context of the current user when a victim opens a malicious file, as disclosed in the CVE published on 2026-01-13. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with low attack complexity but requiring local access and user interaction.

Exploitation requires an attacker to trick a user into opening a specially crafted malicious file using the affected InDesign versions. No privileges are needed (PR:N), making it accessible to any local attacker, though delivery typically involves social engineering such as phishing emails with malicious InDesign documents (.indd files). Successful exploitation results in arbitrary code execution with the privileges of the current user, potentially enabling full system compromise if the user has elevated rights.

Adobe's security bulletin APSB26-02 at https://helpx.adobe.com/security/products/indesign/apsb26-02.html details patches and mitigation steps for resolving this vulnerability in supported InDesign versions. Security practitioners should advise users to apply these updates promptly and avoid opening untrusted files in vulnerable installations.

EU & UK References

Vulnerability details

InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a…

more

victim must open a malicious file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1566.001 Spearphishing Attachment Initial Access
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.
Why these techniques?

Vulnerability enables arbitrary code execution via opening a malicious .indd file (T1204.002), commonly delivered through spearphishing attachments (T1566.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21275Same product: Adobe Indesign
CVE-2026-27284Same product: Adobe Indesign
CVE-2025-27175Same product: Adobe Indesign
CVE-2026-21304Same product: Adobe Indesign
CVE-2026-21277Same product: Adobe Indesign
CVE-2025-24453Same product: Adobe Indesign
CVE-2025-27171Same product: Adobe Indesign
CVE-2025-27166Same product: Adobe Indesign
CVE-2025-21123Same product: Adobe Indesign
CVE-2026-27238Same product: Adobe Indesign

Affected Assets

adobe
indesign
≤ 20.5.1 · 21.0 — 21.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation including patching vulnerable InDesign versions as detailed in Adobe bulletin APSB26-02, directly eliminating the uninitialized pointer vulnerability and preventing arbitrary code execution.

prevent

SI-16 implements memory protections like ASLR and DEP that mitigate exploitation of the uninitialized pointer dereference for arbitrary code execution even in unpatched systems.

detect

RA-5 mandates vulnerability scanning to identify systems running affected InDesign versions (21.0, 19.5.5 and earlier), enabling prompt remediation of this specific CVE.

References