CVE-2026-27284
Out-of-Bounds Read in Adobe InDesign Enables Code Execution
Publication date: 2026-04-14
Last updated on: 2026-04-16
Assigner: Adobe Systems Incorporated
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| adobe | indesign | to 20.5.3 (exc) |
| adobe | indesign | From 21.0 (inc) to 21.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to execute code in the context of the current user by exploiting an out-of-bounds read when parsing a crafted file, potentially leading to unauthorized access or data compromise.
Such unauthorized access or data compromise could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and user privacy.
However, exploitation requires user interaction (opening a malicious file), which may reduce the risk but does not eliminate it.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid opening files from untrusted or unknown sources in affected versions of Adobe InDesign Desktop (versions 20.5.2, 21.2 and earlier). Since exploitation requires user interaction by opening a crafted file, exercising caution with file handling is critical.
Additionally, update Adobe InDesign Desktop to a version later than 20.5.2 or 21.2 once a patch is available to address this out-of-bounds read vulnerability.
Can you explain this vulnerability to me?
This vulnerability affects Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier. It is an out-of-bounds read issue that occurs when the software parses a specially crafted file. This means the program reads data beyond the allocated memory structure, which can lead to unexpected behavior.
An attacker could exploit this vulnerability by tricking a user into opening a malicious file, which could then allow the attacker to execute code with the same privileges as the current user.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to execute arbitrary code on your system with the privileges of the user who opened the malicious file.
This could lead to unauthorized actions such as installing malware, stealing data, or gaining further access to your system.
However, exploitation requires user interaction, meaning the victim must open a malicious file for the attack to succeed.