MEDIUM 5.5

CVE-2026-34704: InDesign NULL Pointer Dereference DoS Vulnerability

InDesign Desktop has a vulnerability that causes the application to crash when a user opens a specially crafted malicious file. While the crash itself doesn't expose data or allow an attacker to take control of the system, it does disrupt work by forcing the application to shut down unexpectedly. Versions 21.3, 20.5.3, and earlier are affected. An attacker must trick someone into opening the malicious file—the vulnerability does not spread on its own or affect systems remotely.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
3 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-34704 is a NULL pointer dereference vulnerability (CWE-476) in Adobe InDesign Desktop. The flaw occurs when the application attempts to dereference a null pointer during file processing, triggering an unhandled exception that terminates the process. The vulnerability requires local access and user interaction; a victim must explicitly open a malicious document file. The attack surface is limited to file-opening operations, and there is no memory corruption, code execution, or privilege escalation path. The CVSS v3.1 score of 5.5 (MEDIUM) reflects high availability impact with no confidentiality or integrity risk.

Business impact

The primary impact is operational disruption. Creative teams relying on InDesign for design workflows will experience downtime when affected versions encounter malicious files, leading to missed deadlines and lost productivity. Organizations with shared asset libraries or external collaborators face elevated risk if untrusted design files enter the workflow. The medium severity rating reflects that while denial-of-service is real, it does not compromise data confidentiality or enable lateral movement. Recovery is straightforward—reopen the application—but repeated incidents could necessitate a shift to patched versions or alternative tools.

Affected systems

Adobe InDesign Desktop versions 21.3, 20.5.3, and all earlier releases are vulnerable. The vulnerability affects both macOS and Windows deployments, as InDesign runs on both platforms. Other Adobe Creative Cloud products are not mentioned in the advisory, so exposure is isolated to InDesign. Organizations should inventory InDesign instances and cross-reference against version 21.3 and 20.5.3 cutoffs to identify at-risk users.

Exploitability

Exploitability requires user interaction and local file access. An attacker must craft a malicious InDesign file and deliver it via email, web download, or file sharing—social engineering is necessary. The attack does not require elevated privileges, network access, or interaction with privileged processes. Once a user opens the file, the crash occurs locally with no further attacker involvement needed. The barrier to exploitation is low from a technical standpoint, but the dependency on user action and the need for the victim to explicitly open a file limits the attack surface in practice. This vulnerability is not believed to be actively exploited in the wild (KEV status: not listed).

Remediation

Adobe has released patched versions of InDesign Desktop. Users should update to the latest available version beyond 21.3 (or 20.5.3 for legacy branches) as published by Adobe. Verify the exact patch version against Adobe's official security advisory. In the interim, users can reduce risk by exercising caution when opening InDesign files from untrusted sources, particularly from external collaborators or unsolicited communications. Organizations may consider disabling file auto-open features if supported.

Patch guidance

Consult Adobe's official security advisory to confirm the exact patched version numbers for your deployment platform (macOS or Windows). InDesign Desktop updates are typically delivered through the Creative Cloud desktop application or direct downloads from Adobe's website. Test patched versions in a non-production environment before wide rollout to ensure compatibility with existing workflows and plugins. Users on version 20.5.3 or earlier should prioritize patching; version 21.3 users should also update but may have a slightly longer testing window if formal patch availability is delayed.

Detection guidance

Monitoring for this vulnerability is indirect, as the exploit is a file-based attack without network signature. Endpoint detection should focus on: (1) identifying InDesign process crashes or sudden terminations via event logs (Windows Event Viewer or macOS Console); (2) tracking InDesign version inventory through software asset management tools; (3) monitoring user reports of unexpected InDesign crashes, especially clustered around a specific time or file source; (4) observing failed file opens in InDesign audit logs if available. Consider enabling process monitoring on design workstations to alert on repeated InDesign crashes, which may indicate attempted exploitation.

Why prioritize this

While the CVSS score is MEDIUM (5.5), prioritization should account for organizational reliance on InDesign. For creative-heavy organizations, denial-of-service against design tools carries disproportionate business cost. The vulnerability is not in the CISA KEV catalog and is not known to be actively exploited, which lowers urgency relative to critical remote code execution flaws. However, patching should occur within 30–60 days as part of routine security updates, with accelerated timelines for organizations where design tool downtime directly impacts revenue or customer deliverables.

Risk score, explained

The CVSS v3.1 score of 5.5 reflects: Attack Vector = Local (file must be opened locally), Attack Complexity = Low (no special conditions required once file is opened), Privileges Required = None (no elevated access needed), User Interaction = Required (victim must open the file), Scope = Unchanged (impact is confined to the InDesign process), Confidentiality = None (no data leakage), Integrity = None (no data modification), Availability = High (application crash). The score appropriately captures the denial-of-service nature without overstating the threat, as there is no remote exploitation path, no data exfiltration, and no persistent system compromise.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The vulnerability requires local file access and user interaction. An attacker cannot trigger the crash over the network or without the victim opening a malicious file. Delivery of the malicious file (email, web link, etc.) is attacker-controlled, but the actual exploitation step is local and user-initiated.

Does this vulnerability allow code execution or data theft?

No. This is purely a denial-of-service vulnerability due to a NULL pointer dereference. It crashes the InDesign application but does not allow an attacker to execute arbitrary code, escalate privileges, or access sensitive documents. The crash terminates the process; recovery is a simple application restart.

Which versions of InDesign are affected?

Adobe InDesign Desktop versions 21.3, 20.5.3, and all earlier releases are vulnerable. Users should verify their installed version and consult Adobe's security advisory to confirm which patched versions address this flaw. Newer versions beyond 21.3 are expected to be safe.

Is this vulnerability being actively exploited?

As of the published date (June 9, 2026), this vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed active exploitation in the wild. However, organizations should not rely on this as justification for delaying patches, as exploitation could emerge after publication.

This analysis is based on publicly available vulnerability data as of the publication date and does not constitute a formal security audit or risk assessment for your organization. Patch version numbers and timelines should be verified against Adobe's official security advisory. Organizations should conduct their own testing and validation of patches in non-production environments before deployment. This summary does not replace vendor guidance or your organization's internal vulnerability management policy. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).