Cyber Posture

CVE-2026-34628

High

Published: 14 April 2026

Published
14 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34628 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Adobe Indesign. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires timely patching of the heap-based buffer overflow vulnerability in affected InDesign versions as provided by Adobe APSB26-32.

SI-16 Memory Protection good match
prevent

Implements memory protections such as DEP and ASLR that minimize the impact of heap-based buffer overflow exploitation leading to arbitrary code execution.

SI-3 Malicious Code Protection partial match
preventdetect

Malicious code protection mechanisms scan and block crafted malicious InDesign files delivered via email or shared documents before user interaction.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
T1566.001 Spearphishing Attachment Initial Access
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.
attack.mitre.org →
Why these techniques?

Heap buffer overflow enables arbitrary code execution upon opening a crafted file (T1204.002); description explicitly notes delivery via email attachments and social engineering (T1566.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim…

more

must open a malicious file.

Deeper analysisAI

CVE-2026-34628 is a heap-based buffer overflow vulnerability (CWE-122) affecting Adobe InDesign Desktop versions 20.5.2, 21.2, and earlier. Published on 2026-04-14, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H). The issue could result in arbitrary code execution in the context of the current user.

Exploitation requires user interaction, as a victim must open a malicious file processed by the vulnerable InDesign component. Local attackers with no privileges can leverage this by delivering a crafted file, such as through email attachments or shared documents, tricking users via social engineering. Successful exploitation enables arbitrary code execution with the current user's privileges, potentially leading to full system compromise on the affected machine.

Adobe Security Bulletin APSB26-32, available at https://helpx.adobe.com/security/products/indesign/apsb26-32.html, addresses this vulnerability and provides guidance on available patches for mitigation.

Details

CWE(s)
CWE-122

Affected Products

adobe
indesign
≤ 20.5.3 · 21.0 — 21.3

CVEs Like This One

CVE-2026-34627Same product: Adobe Indesign
CVE-2026-34629Same product: Adobe Indesign
CVE-2026-27291Same product: Adobe Indesign
CVE-2025-27173Same vendor: Adobe
CVE-2026-27238Same product: Adobe Indesign
CVE-2025-24439Same vendor: Adobe
CVE-2025-24443Same vendor: Adobe
CVE-2025-21139Same vendor: Adobe
CVE-2025-21137Same vendor: Adobe
CVE-2025-21169Same vendor: Adobe

References