CVE-2026-27291
Out-of-Bounds Write in Adobe InDesign Enables Code Execution
Publication date: 2026-04-14
Last updated on: 2026-04-16
Assigner: Adobe Systems Incorporated
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| adobe | indesign | to 20.5.3 (exc) |
| adobe | indesign | From 21.0 (inc) to 21.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows for arbitrary code execution in the context of the current user after opening a malicious file, which could potentially lead to unauthorized access or data compromise.
Such unauthorized access or data compromise could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information.
However, exploitation requires user interaction, which may limit the risk depending on the environment and user behavior.
Can you explain this vulnerability to me?
This vulnerability affects Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier. It is an out-of-bounds write vulnerability, which means that the software writes data outside the boundaries of allocated memory. This flaw could allow an attacker to execute arbitrary code with the privileges of the current user.
Exploitation requires user interaction, specifically that the victim must open a malicious file crafted to trigger this vulnerability.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to arbitrary code execution in the context of the current user. This means an attacker could run malicious code on your system with your user privileges.
- Potential impacts include data theft, installation of malware, or unauthorized actions performed on your system.
- Since the attack requires user interaction (opening a malicious file), social engineering techniques might be used to trick users.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that you do not open malicious files in affected versions of Adobe InDesign Desktop (versions 20.5.2, 21.2 and earlier).
Consider updating Adobe InDesign Desktop to a version later than 21.2 if available, as the vulnerability affects versions 21.2 and earlier.
Avoid opening files from untrusted sources to prevent exploitation requiring user interaction.