CVE-2026-21276
Published: 13 January 2026
Summary
CVE-2026-21276 is a high-severity Access of Uninitialized Pointer (CWE-824) vulnerability in Adobe Indesign. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation including patching vulnerable InDesign versions as detailed in Adobe bulletin APSB26-02, directly eliminating the uninitialized pointer vulnerability and preventing arbitrary code execution.
SI-16 implements memory protections like ASLR and DEP that mitigate exploitation of the uninitialized pointer dereference for arbitrary code execution even in unpatched systems.
RA-5 mandates vulnerability scanning to identify systems running affected InDesign versions (21.0, 19.5.5 and earlier), enabling prompt remediation of this specific CVE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables arbitrary code execution via opening a malicious .indd file (T1204.002), commonly delivered through spearphishing attachments (T1566.001).
NVD Description
InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a…
more
victim must open a malicious file.
Deeper analysisAI
CVE-2026-21276 is an Access of Uninitialized Pointer vulnerability (CWE-824) affecting Adobe InDesign Desktop versions 21.0, 19.5.5, and earlier. This flaw allows arbitrary code execution in the context of the current user when a victim opens a malicious file, as disclosed in the CVE published on 2026-01-13. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with low attack complexity but requiring local access and user interaction.
Exploitation requires an attacker to trick a user into opening a specially crafted malicious file using the affected InDesign versions. No privileges are needed (PR:N), making it accessible to any local attacker, though delivery typically involves social engineering such as phishing emails with malicious InDesign documents (.indd files). Successful exploitation results in arbitrary code execution with the privileges of the current user, potentially enabling full system compromise if the user has elevated rights.
Adobe's security bulletin APSB26-02 at https://helpx.adobe.com/security/products/indesign/apsb26-02.html details patches and mitigation steps for resolving this vulnerability in supported InDesign versions. Security practitioners should advise users to apply these updates promptly and avoid opening untrusted files in vulnerable installations.
Details
- CWE(s)