CVE-2026-27287
Published: 14 April 2026
Summary
CVE-2026-27287 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Adobe Incopy. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the out-of-bounds read vulnerability by requiring timely remediation through application of Adobe patches for affected InCopy versions.
Implements memory protections like ASLR, DEP, and stack guards that prevent exploitation of the out-of-bounds read for arbitrary code execution.
Deploys malicious code protection mechanisms to scan and block crafted malicious files targeting the InCopy parsing vulnerability before execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in file parser directly enables T1203 (Exploitation for Client Execution) for arbitrary code execution; crafted file delivery and user open action map to T1204.002 (Malicious File).
NVD Description
InCopy versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute…
more
code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Deeper analysisAI
CVE-2026-27287 is an out-of-bounds read vulnerability (CWE-125) affecting Adobe InCopy versions 20.5.2, 21.2, and earlier. The flaw arises during the parsing of a crafted file, which can cause a read past the end of an allocated memory structure. Published on 2026-04-14, it has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), rated as high severity.
Exploitation requires an attacker to deliver a malicious file to a victim, who must then open it with the affected InCopy version, necessitating user interaction and local access but no privileges. Low attack complexity enables remote attackers to craft such files for distribution via email, shared drives, or other vectors. Successful exploitation allows arbitrary code execution in the context of the current user, potentially leading to full system compromise including high impacts on confidentiality, integrity, and availability.
Adobe Security Bulletin APSB26-33 provides details on mitigations and patches, available at https://helpx.adobe.com/security/products/incopy/apsb26-33.html.
Details
- CWE(s)