HIGH 7.8

CVE-2026-34696: Adobe InDesign Use After Free Remote Code Execution Vulnerability

Adobe InDesign versions 21.3, 20.5.3 and earlier contain a Use After Free memory vulnerability that allows attackers to execute arbitrary code on a user's computer. The flaw requires a user to open a specially crafted malicious file—there is no remote attack vector. Once triggered, an attacker gains full control of the application and can read, modify, or delete user data, install malware, or pivot to other systems with the privileges of the logged-in user.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
3 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-34696 is a Use After Free (CWE-416) vulnerability in Adobe InDesign that occurs when the application references memory that has already been freed. This memory corruption can be weaponized to corrupt the heap and achieve arbitrary code execution within InDesign's process context. The vulnerability is triggered when InDesign parses or processes a maliciously crafted document file. Since the flaw exists in versions 21.3 and 20.5.3 and earlier, it affects both current and legacy InDesign installations across macOS and Windows platforms.

Business impact

A successful exploitation could allow attackers to steal sensitive design documents, modify intellectual property before publication, inject malware into publishing workflows, or disrupt production environments that rely on InDesign for critical output. For design agencies, publishing houses, and marketing teams, this vulnerability poses a risk to confidentiality and integrity of assets. The attack requires social engineering or supply-chain compromise (malicious template or document distribution) to succeed, making it a realistic threat in environments where InDesign files are exchanged externally.

Affected systems

Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier running on Microsoft Windows and Apple macOS are affected. Users should verify their installed version in InDesign's About dialog (Help > About InDesign). Any organization with InDesign deployments at or below these versions should be considered at risk.

Exploitability

Exploitation requires user interaction—a victim must open a malicious file. There is no remote, unauthenticated attack path. An attacker would need to distribute a crafted InDesign document (.indd, .idml, or related format) via email, file sharing, or a compromised website. The barrier to exploitation is relatively low: a plausible social engineering pretext ("review this design proposal," "template update," etc.) combined with a malicious file. The CVSS score of 7.8 (HIGH) reflects the high impact of successful exploitation despite the requirement for user interaction.

Remediation

Apply the latest security patch from Adobe as soon as possible. Update InDesign to a version above 21.3 on macOS and Windows. Adobe typically delivers patches through the Creative Cloud desktop app (automatic or manual check for updates) or through the Adobe Download Center. Verify the update installation by confirming the new version number in Help > About InDesign. Until patched, users should avoid opening InDesign files from untrusted or unexpected sources.

Patch guidance

Initiate a patch cycle targeting all InDesign installations. Prioritize systems in design, marketing, and publishing departments where InDesign is regularly used. Use your organization's patch management or MDM solution to deploy updates, or enable automatic updates in Creative Cloud if governance allows. Test the patch in a non-production environment first to ensure compatibility with your InDesign workflows and plugins. Document the patch deployment date and versions for compliance records.

Detection guidance

Endpoint Detection and Response (EDR) solutions should monitor for InDesign process crashes or unexpected child process spawning from InDesign (indicator of code execution). File integrity monitoring can detect unauthorized modifications to InDesign application files. Network-based detection should flag unusual outbound connections originating from InDesign processes. Monitor file access logs for InDesign opening unexpected or suspicious document files. User training on not opening unexpected InDesign files from external senders provides a preventive control.

Why prioritize this

This vulnerability merits a HIGH priority classification. The CVSS score of 7.8 reflects high confidentiality, integrity, and availability impact. While user interaction is required, it is a realistic attack scenario in creative and publishing sectors where file sharing is common. The vulnerability affects multiple supported versions and both major operating systems. Rapid patching reduces the window of exposure before adversaries develop or distribute working exploits.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) is derived from: local attack vector (AV:L—file must be opened locally), low attack complexity (AC:L—no special conditions required), no privilege escalation needed (PR:N), user interaction required (UI:R), single system impact (S:U), and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The score appropriately reflects a serious but not critical vulnerability—it requires user action but delivers full compromise of the InDesign application and user context.

Frequently asked questions

Can InDesign be exploited remotely via the internet?

No. This vulnerability requires a user to open a malicious file locally on their computer. There is no remote network attack vector. An attacker would need to trick a user into opening a file through social engineering or distribute it via email or file-sharing services.

What versions of InDesign are vulnerable?

InDesign Desktop versions 21.3, 20.5.3 and earlier are affected. Users running version 21.4 or later (once released) should be safe. Check your version in Help > About InDesign to confirm your current release.

If I update InDesign, will it affect my existing documents or workflows?

Patch updates are designed to be backward-compatible and should not disrupt your workflows or corrupt existing documents. However, always test the update in a non-production environment first, especially if you rely on specific plugins or custom workflows.

Is this vulnerability being actively exploited in the wild?

As of the publication date, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been confirmed. However, organizations should not rely on this status and should patch promptly regardless.

This analysis is provided for informational purposes and reflects the state of vulnerability intelligence at the time of publication. CVSS scores and severity ratings are subject to change based on new attack vectors or exploitation data. Always verify patch availability and version numbers against official Adobe security advisories before deployment. This assessment does not constitute legal or compliance advice. Organizations should conduct their own risk assessment based on their specific environment, user population, and business criticality of InDesign systems. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).