CVE-2026-27286
Heap-Based Buffer Overflow in Adobe InDesign Risks Memory Exposure
Publication date: 2026-04-14
Last updated on: 2026-04-16
Assigner: Adobe Systems Incorporated
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| adobe | indesign | to 20.5.3 (exc) |
| adobe | indesign | From 21.0 (inc) to 21.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a heap-based buffer overflow found in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier. It occurs when a user opens a specially crafted malicious file, which can cause the program to improperly handle memory buffers on the heap.
As a result, an attacker could exploit this flaw to cause memory exposure, potentially disclosing sensitive information stored in the application's memory.
How can this vulnerability impact me? :
If exploited, this vulnerability could lead to the disclosure of sensitive information from the memory of the affected application.
Since exploitation requires user interaction (opening a malicious file), the risk depends on the likelihood of a user opening such a file.
The impact is primarily confidentiality-related, as indicated by the CVSS score which rates confidentiality impact as high, but integrity and availability are not affected.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that you do not open malicious files in affected versions of Adobe InDesign Desktop (versions 20.5.2, 21.2 and earlier).
Consider updating Adobe InDesign Desktop to a version later than 21.2 if available, as the vulnerability affects versions 21.2 and earlier.
Educate users to avoid opening files from untrusted or unknown sources to prevent exploitation that requires user interaction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability could lead to memory exposure, allowing an attacker to disclose sensitive information stored in memory if a user opens a malicious file.
Such exposure of sensitive information may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized disclosure.
However, exploitation requires user interaction, which may influence the risk assessment and mitigation strategies under these standards.