CVE-2026-34629
Published: 14 April 2026
Summary
CVE-2026-34629 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Adobe Indesign. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and patching of flaws like this heap-based buffer overflow in vulnerable InDesign versions to eliminate the vulnerability.
Provides memory protections such as non-executable memory and address space randomization that mitigate unauthorized code execution from heap buffer overflows.
Deploys malicious code protection mechanisms to scan and block malicious InDesign files before they can be opened and exploited.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in desktop app enables RCE via crafted malicious file opened by user, directly mapping to Exploitation for Client Execution (T1203) and User Execution: Malicious File (T1204.002).
NVD Description
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim…
more
must open a malicious file.
Deeper analysisAI
CVE-2026-34629 is a heap-based buffer overflow vulnerability (CWE-122) affecting Adobe InDesign Desktop versions 20.5.2, 21.2, and earlier. The flaw occurs during the processing of malicious files, potentially leading to arbitrary code execution in the context of the current user. Published on April 14, 2026, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact but with requirements for local access and user interaction.
An attacker can exploit this vulnerability by crafting a malicious file and tricking a victim into opening it within the affected InDesign versions. No special privileges are required (PR:N), and the attack has low complexity (AC:L), but it demands user interaction (UI:R), such as clicking to open the file. Successful exploitation allows arbitrary code execution with high confidentiality, integrity, and availability impacts, running in the user's context without scope changes.
Adobe's security bulletin APSB26-32 provides details on the vulnerability and mitigation, available at https://helpx.adobe.com/security/products/indesign/apsb26-32.html. Security practitioners should advise users to apply patches promptly and avoid opening untrusted files in vulnerable InDesign versions.
Details
- CWE(s)