Cyber Resilience

CVE-2026-34627

High

Published: 14 April 2026

Published
14 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34627 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Adobe Indesign. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 8.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34627 is a heap-based buffer overflow vulnerability (CWE-122) affecting Adobe InDesign Desktop versions 20.5.2, 21.2, and earlier. The flaw occurs during file processing and can lead to arbitrary code execution in the context of the current user. It has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability with low attack complexity but requiring local access and user interaction.

An attacker can exploit this vulnerability by crafting a malicious file that, when opened by a victim in a vulnerable InDesign version, triggers the buffer overflow and executes arbitrary code with the privileges of the logged-in user. No special privileges are needed (PR:N), but exploitation relies on user interaction, such as convincing the target to open the file via email, shared drives, or other social engineering vectors. Successful exploitation grants full control over the affected system, potentially enabling data theft, malware deployment, or further lateral movement.

Adobe's security bulletin APSB26-32, available at https://helpx.adobe.com/security/products/indesign/apsb26-32.html, provides details on the vulnerability and recommends mitigation steps, including applying the latest security updates to InDesign Desktop.

EU & UK References

Vulnerability details

InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim…

more

must open a malicious file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

The heap-based buffer overflow in Adobe InDesign during malicious file processing directly enables arbitrary code execution on the client, mapping to Exploitation for Client Execution (T1203) and User Execution via Malicious File (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34629Same product: Adobe Indesign
CVE-2026-34628Same product: Adobe Indesign
CVE-2026-27291Same product: Adobe Indesign
CVE-2025-27173Same vendor: Adobe
CVE-2026-34642Same vendor: Adobe
CVE-2026-27238Same product: Adobe Indesign
CVE-2025-21139Same vendor: Adobe
CVE-2025-24443Same vendor: Adobe
CVE-2025-21169Same vendor: Adobe
CVE-2025-21137Same vendor: Adobe

Affected Assets

adobe
indesign
≤ 20.5.3 · 21.0 — 21.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, testing, and deployment of security patches to remediate the heap-based buffer overflow vulnerability in vulnerable InDesign versions.

prevent

Implements memory protection mechanisms such as ASLR and DEP that directly mitigate exploitation of heap buffer overflows to prevent arbitrary code execution.

preventdetect

Provides malicious code protection through scanning and blocking of potentially malicious files that could trigger the buffer overflow when opened in InDesign.

References