CVE-2026-27286
Received Received - Intake
Heap-Based Buffer Overflow in Adobe InDesign Risks Memory Exposure

Publication date: 2026-04-14

Last updated on: 2026-04-16

Assigner: Adobe Systems Incorporated

Description
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27286
EUVD
EUVD-2026-22442
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
adobe indesign to 20.5.3 (exc)
adobe indesign From 21.0 (inc) to 21.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a heap-based buffer overflow found in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier. It occurs when a user opens a specially crafted malicious file, which can cause the program to improperly handle memory buffers on the heap.

As a result, an attacker could exploit this flaw to cause memory exposure, potentially disclosing sensitive information stored in the application's memory.

Impact Analysis

If exploited, this vulnerability could lead to the disclosure of sensitive information from the memory of the affected application.

Since exploitation requires user interaction (opening a malicious file), the risk depends on the likelihood of a user opening such a file.

The impact is primarily confidentiality-related, as indicated by the CVSS score which rates confidentiality impact as high, but integrity and availability are not affected.

Mitigation Strategies

To mitigate this vulnerability, ensure that you do not open malicious files in affected versions of Adobe InDesign Desktop (versions 20.5.2, 21.2 and earlier).

Consider updating Adobe InDesign Desktop to a version later than 21.2 if available, as the vulnerability affects versions 21.2 and earlier.

Educate users to avoid opening files from untrusted or unknown sources to prevent exploitation that requires user interaction.

Compliance Impact

This vulnerability could lead to memory exposure, allowing an attacker to disclose sensitive information stored in memory if a user opens a malicious file.

Such exposure of sensitive information may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized disclosure.

However, exploitation requires user interaction, which may influence the risk assessment and mitigation strategies under these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27286. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart