CVE-2026-27284

High

Published: 14 April 2026

Published

14 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0003 7.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27284 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Adobe Indesign. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely installation of vendor patches to remediate the out-of-bounds read vulnerability in affected Adobe InDesign versions, directly preventing exploitation via crafted files.

SI-16 Memory Protection partial match

prevent

Implements memory protection safeguards like ASLR and DEP to block arbitrary code execution even if an out-of-bounds read occurs during InDesign file parsing.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables periodic vulnerability scanning to identify systems running vulnerable InDesign versions affected by CVE-2026-27284.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

The vulnerability is a memory corruption flaw in file parsing that is directly triggered when a user opens a crafted malicious file, resulting in arbitrary code execution; this precisely matches the User Execution technique via a malicious file.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to…

execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Deeper analysisAI

CVE-2026-27284 is an out-of-bounds read vulnerability (CWE-125) affecting Adobe InDesign Desktop versions 20.5.2, 21.2, and earlier. The flaw occurs when parsing a crafted file, which could result in a read past the end of an allocated memory structure. Published on 2026-04-14, it has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Exploitation requires user interaction, as a victim must open a malicious file. An attacker with local access can leverage this to execute arbitrary code in the context of the current user, potentially compromising confidentiality, integrity, and availability.

Adobe's security bulletin APSB26-32, available at https://helpx.adobe.com/security/products/indesign/apsb26-32.html, provides details on mitigation and patches for this vulnerability.

Details

CWE(s): CWE-125

Affected Products

adobe

indesign

≤ 20.5.3 · 21.0 — 21.3

CVEs Like This One

CVE-2026-21322Same product: Apple Macos

CVE-2026-21345Same product: Apple Macos

CVE-2025-27175Same product: Adobe Indesign

CVE-2026-21304Same product: Adobe Indesign

CVE-2026-21343Same product: Apple Macos

CVE-2026-21344Same product: Apple Macos

CVE-2026-21324Same product: Apple Macos

CVE-2025-24452Same product: Adobe Indesign

CVE-2025-21157Same product: Adobe Indesign

CVE-2026-27238Same product: Adobe Indesign

References

https://helpx.adobe.com/security/products/indesign/apsb26-32.html
Vendor Advisory · psirt@adobe.com