CVE-2026-34695: Adobe InDesign Stack-Based Buffer Overflow RCE Vulnerability
Adobe InDesign versions 21.3, 20.5.3 and earlier contain a stack-based buffer overflow vulnerability that could allow an attacker to execute arbitrary code on a victim's computer. An attacker would need to trick a user into opening a malicious file—there is no remote exploitation vector. The vulnerability affects InDesign on both Windows and macOS systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-121
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This is a stack-based buffer overflow (CWE-121) in Adobe InDesign that arises from improper bounds checking when processing file input. The vulnerability resides in memory allocated on the stack; when a specially crafted file is processed, an attacker can overflow a buffer and overwrite the return address or other critical stack data, redirecting execution to attacker-controlled code. The attack succeeds in the security context of the logged-in user without requiring elevated privileges. User interaction—specifically opening a malicious file—is a hard requirement for exploitation.
Business impact
A successful attack could grant an attacker the ability to install malware, steal sensitive documents, exfiltrate data, or establish persistence on affected workstations. Because InDesign is commonly used by design, publishing, and marketing teams to handle proprietary layouts, brand assets, and client materials, a compromise could expose high-value intellectual property. The attack surface includes any workflow where users receive InDesign files from external or untrusted sources.
Affected systems
Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier running on Windows or macOS are vulnerable. Organizations should inventory InDesign installations and their version numbers. Note that the vulnerability affects specific version lineages; patched versions above these thresholds are not affected. Mobile versions and cloud-based alternatives are outside the scope of this CVE.
Exploitability
Exploitation requires user interaction and cannot be triggered remotely or without the victim's involvement. An attacker must craft a malicious InDesign file (.indd or related format) and convince or socially engineer a user into opening it. The barrier is social engineering rather than technical; once a user opens the file, code execution happens automatically without further prompts. This makes spear-phishing campaigns targeting design teams a plausible attack vector.
Remediation
Upgrade Adobe InDesign Desktop to a patched version above 21.3 or 20.5.3 as specified in Adobe's security advisory. Verify the exact patched version numbers against Adobe's official bulletin before deployment. As an interim control, restrict file open dialogs to trusted sources and educate users not to open InDesign files from unexpected senders. Consider disabling InDesign's auto-open features if your workflow permits.
Patch guidance
Check Adobe's official security advisory for the specific patched versions applicable to your InDesign release track. Typically, Adobe releases updates through the Creative Cloud subscription model; verify patch availability in your deployment channel (direct download, enterprise admin console, or managed update service). Test patches in a non-production environment against your active InDesign documents to ensure compatibility before broad rollout. Schedule patching promptly given the HIGH severity rating and the presence of a clear exploitation path.
Detection guidance
Monitor file open events in InDesign through endpoint detection and response (EDR) tools, particularly for .indd files from external or suspicious sources. Look for unexpected child process spawning or memory corruption indicators following InDesign file opens. Network-level detection is limited since this is a local file parsing issue; focus defenses on endpoint behavior monitoring and user awareness. Forensic indicators include InDesign process crashes or abnormal termination with stack trace evidence of overflow conditions.
Why prioritize this
This vulnerability merits urgent patching because it combines HIGH severity (full code execution with no privilege escalation needed), a clear user-interaction exploitation path, and prevalence in design-heavy organizations. While not yet tracked in CISA's Known Exploited Vulnerabilities catalog, the straightforward attack surface makes it a probable target for targeted campaigns. Delay in patching leaves design teams exposed to credential theft, ransomware staging, or supply-chain compromise if threat actors use compromised workstations to modify or exfiltrate client assets.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects a local attack vector with no privilege escalation, high confidentiality/integrity/integrity impact, and a requirement for user interaction. The stack-based overflow (CWE-121) is a well-understood and relatively predictable vulnerability class, avoiding the highest severity band. However, the combination of arbitrary code execution capability and the design workflow context—where file-sharing is routine—elevates practical risk above the numerical score alone.
Frequently asked questions
Can this vulnerability be exploited over the network or via email attachment?
No. The vulnerability requires local file access and user action to open a malicious InDesign file. However, an attacker could distribute a malicious .indd file via email or a file-sharing service and use social engineering to trick a user into opening it, making email a delivery channel even though the exploit itself is local.
Are InDesign cloud or web-based versions affected?
No, this CVE affects Adobe InDesign Desktop only. Cloud-based or browser-based design tools are not impacted by this stack-based buffer overflow.
What should I do if I cannot patch immediately?
Prioritize patching as soon as feasible. In the interim, educate users not to open .indd files from untrusted sources, disable auto-open features if possible, and enable enhanced monitoring of InDesign process behavior on your endpoints.
Is this vulnerability being actively exploited in the wild?
As of the advisory date, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, but that does not guarantee absence of exploit activity. Assume targeted campaigns may be developing or deploying exploits, and treat this as a high-priority patch accordingly.
This analysis is provided for informational purposes to assist cybersecurity professionals in vulnerability management and risk prioritization. The information is accurate as of the publication date but may be superseded by official vendor advisories. Verify all patch versions and compatibility against Adobe's official security bulletin before deploying updates in production environments. Organizations should conduct their own risk assessments and testing. SEC.co makes no warranty regarding the completeness or accuracy of third-party vulnerability data. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34697HIGHAdobe InDesign Stack Overflow Vulnerability – Arbitrary Code Execution Risk
- CVE-2026-34702HIGHAdobe InDesign Stack Overflow Remote Code Execution Vulnerability
- CVE-2026-34708HIGHAdobe InCopy Stack Overflow RCE Vulnerability
- CVE-2026-10898HIGHChrome GPU Stack Buffer Overflow Sandbox Escape
- CVE-2026-11024HIGHChrome Skia Stack Buffer Overflow - Patch Guide & Risk Analysis
- CVE-2026-34693HIGHAdobe Experience Manager Forms JEE Reflected XSS Vulnerability
- CVE-2026-34696HIGHAdobe InDesign Use After Free Remote Code Execution Vulnerability
- CVE-2026-34698HIGHAdobe InDesign Heap Buffer Overflow (CVSS 7.8)