CVE-2026-27291

High

Published: 14 April 2026

Published

14 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0003 9.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27291 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Indesign. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2026-27291 by requiring timely patching of the out-of-bounds write vulnerability in affected Adobe InDesign versions as detailed in Adobe bulletin APSB26-32.

SI-16 Memory Protection good match

prevent

Implements memory safeguards such as DEP and ASLR to prevent arbitrary code execution resulting from the out-of-bounds write in InDesign when processing malicious files.

RA-5 Vulnerability Monitoring and Scanning good match

prevent

Scans systems for vulnerabilities like CVE-2026-27291 in InDesign, enabling identification and remediation of affected versions before exploitation via malicious files.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Out-of-bounds write in InDesign enables arbitrary code execution when a user opens a crafted malicious file (UI:R, AV:L), directly matching T1204.002 Malicious File under User Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must…

open a malicious file.

Deeper analysisAI

CVE-2026-27291 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe InDesign Desktop versions 20.5.2, 21.2, and earlier. The flaw could lead to arbitrary code execution in the context of the current user. It was published on 2026-04-14 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H).

Exploitation requires user interaction, specifically a victim opening a malicious file. An attacker with local access could craft such a file and trick the user into opening it, achieving arbitrary code execution with the privileges of the current user. The low attack complexity and lack of required privileges make it feasible for targeted attacks via socially engineered file delivery.

Adobe Security Bulletin APSB26-32, available at https://helpx.adobe.com/security/products/indesign/apsb26-32.html, provides details on mitigation, including patches for affected versions. Security practitioners should advise users to apply updates promptly and exercise caution with unsolicited InDesign files.

Details

CWE(s): CWE-787

Affected Products

adobe

indesign

≤ 20.5.3 · 21.0 — 21.3

CVEs Like This One

CVE-2026-34627Same product: Adobe Indesign

CVE-2026-34629Same product: Adobe Indesign

CVE-2026-34628Same product: Adobe Indesign

CVE-2025-21161Same vendor: Adobe

CVE-2025-24441Same vendor: Adobe

CVE-2025-24451Same vendor: Adobe

CVE-2025-21138Same vendor: Adobe

CVE-2026-21306Same vendor: Adobe

CVE-2025-24444Same vendor: Adobe

CVE-2025-24442Same vendor: Adobe

References

https://helpx.adobe.com/security/products/indesign/apsb26-32.html
Vendor Advisory · psirt@adobe.com