Cyber Posture

CVE-2026-21304

High

Published: 13 January 2026

Published
13 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 9.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21304 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Adobe Indesign. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation, directly preventing exploitation of the known heap-based buffer overflow in vulnerable InDesign versions via patching.

SI-16 Memory Protection good match
prevent

Enforces memory protections such as ASLR and DEP that mitigate heap buffer overflow vulnerabilities against arbitrary code execution.

SI-3 Malicious Code Protection good match
preventdetect

Deploys malicious code protection mechanisms to scan and block malicious InDesign files or resulting payloads before or during execution.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

Heap overflow in file parser directly enables arbitrary code execution triggered by opening a crafted InDesign document (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim…

more

must open a malicious file.

Deeper analysisAI

CVE-2026-21304 is a heap-based buffer overflow vulnerability (CWE-122, CWE-787) affecting Adobe InDesign Desktop versions 21.0, 19.5.5, and earlier. The flaw occurs during file processing and can lead to arbitrary code execution in the context of the current user. It has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact but with requirements for local access and user interaction.

Exploitation requires an attacker to deliver a malicious file to a victim, who must then open it in the vulnerable InDesign version. No special privileges are needed (PR:N), and the attack complexity is low (AC:L), making it feasible for adversaries targeting creative professionals or organizations using InDesign. Successful exploitation allows arbitrary code execution with the privileges of the logged-in user, potentially enabling data theft, malware implantation, or further system compromise.

Adobe's security bulletin (APSB26-02) at https://helpx.adobe.com/security/products/indesign/apsb26-02.html provides details on patches and mitigations for affected versions. Security practitioners should advise users to apply updates immediately and avoid opening untrusted files in InDesign.

Details

CWE(s)
CWE-122CWE-787

Affected Products

adobe
indesign
≤ 20.5.1 · 21.0 — 21.1

CVEs Like This One

CVE-2026-21277Same product: Adobe Indesign
CVE-2025-27175Same product: Adobe Indesign
CVE-2025-27171Same product: Adobe Indesign
CVE-2026-21357Same product: Adobe Indesign
CVE-2025-24453Same product: Adobe Indesign
CVE-2025-27177Same product: Adobe Indesign
CVE-2025-21123Same product: Adobe Indesign
CVE-2025-24452Same product: Adobe Indesign
CVE-2025-21157Same product: Adobe Indesign
CVE-2026-27238Same product: Adobe Indesign

References