CVE-2026-34627
Published: 14 April 2026
Summary
CVE-2026-34627 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Adobe Indesign. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, testing, and deployment of security patches to remediate the heap-based buffer overflow vulnerability in vulnerable InDesign versions.
Implements memory protection mechanisms such as ASLR and DEP that directly mitigate exploitation of heap buffer overflows to prevent arbitrary code execution.
Provides malicious code protection through scanning and blocking of potentially malicious files that could trigger the buffer overflow when opened in InDesign.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The heap-based buffer overflow in Adobe InDesign during malicious file processing directly enables arbitrary code execution on the client, mapping to Exploitation for Client Execution (T1203) and User Execution via Malicious File (T1204.002).
NVD Description
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim…
more
must open a malicious file.
Deeper analysisAI
CVE-2026-34627 is a heap-based buffer overflow vulnerability (CWE-122) affecting Adobe InDesign Desktop versions 20.5.2, 21.2, and earlier. The flaw occurs during file processing and can lead to arbitrary code execution in the context of the current user. It has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability with low attack complexity but requiring local access and user interaction.
An attacker can exploit this vulnerability by crafting a malicious file that, when opened by a victim in a vulnerable InDesign version, triggers the buffer overflow and executes arbitrary code with the privileges of the logged-in user. No special privileges are needed (PR:N), but exploitation relies on user interaction, such as convincing the target to open the file via email, shared drives, or other social engineering vectors. Successful exploitation grants full control over the affected system, potentially enabling data theft, malware deployment, or further lateral movement.
Adobe's security bulletin APSB26-32, available at https://helpx.adobe.com/security/products/indesign/apsb26-32.html, provides details on the vulnerability and recommends mitigation steps, including applying the latest security updates to InDesign Desktop.
Details
- CWE(s)