How is CVE-2026-34695 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no over-the-network access to the service is required. Authentication (not-required): No account or credentials are needed before triggering the overflow; the attack works against any user who opens the file. Victim interaction (required): A victim must be socially engineered into opening a malicious file, such as a crafted InDesign document delivered by email or download. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-34695?

The attacker executes arbitrary code with the full privileges of the logged-in user, including access to all files, credentials, and secrets that user can reach. Confidential data stored or cached by the user, such as design assets, authentication tokens, and locally stored documents, is readable by the attacker. The attacker can write or modify files owned by the current user, including configuration files, scripts, or other artifacts that may affect downstream systems. The attacker can crash or destabilize the InDesign process and any dependent workflows running under the same user context.

Back to search

HIGHCVE-2026-34695Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-34695: InDesign Desktop | Stack-based Buffer Overflow (CWE-121)

InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Stack-based buffer overflow in Adobe InDesign Desktop (versions 21.3, 20.5.3 and earlier) allows an attacker to execute arbitrary code in the context of the logged-in user. The vulnerability is local in scope, requires no prior authentication, but does require the victim to open a specially crafted malicious file. Successful exploitation gives the attacker full code execution, with access to everything the current user can read, write, or run. No upstream fix has been published yet; HarborGuard is tracking the advisory and will surface a patched-image rebuild the moment Adobe releases one.

HarborGuard Coverage

Detection

Detection for CVE-2026-34695 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle InDesign Desktop or its libraries. Any image containing an affected version is flagged immediately in both registry scans and CI/CD pipeline checks.

Available

Triage

Triage is available with the CVSS 3.1 score of 7.8 (HIGH) applied automatically, and per-environment compliance policy weighting can escalate or suppress the finding based on each customer org's risk thresholds. Routed findings land in the correct team inbox based on each customer's ownership mapping, so the right engineers see the alert without manual triage overhead.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the Adobe advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. In the meantime, customers can use HarborGuard's compensating-control recommendations to apply network-policy isolation and file-type ingestion restrictions at the workload level.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no over-the-network access to the service is required.
AuthenticationNot required
No account or credentials are needed before triggering the overflow; the attack works against any user who opens the file.
Victim interactionRequired
A victim must be socially engineered into opening a malicious file, such as a crafted InDesign document delivered by email or download.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

The attacker executes arbitrary code with the full privileges of the logged-in user, including access to all files, credentials, and secrets that user can reach.
Confidential data stored or cached by the user, such as design assets, authentication tokens, and locally stored documents, is readable by the attacker.
The attacker can write or modify files owned by the current user, including configuration files, scripts, or other artifacts that may affect downstream systems.
The attacker can crash or destabilize the InDesign process and any dependent workflows running under the same user context.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-34695 is active now, flagging any image containing InDesign Desktop at or below version 20.5.3 across registry scans and pipeline checks. Because Adobe has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard re-evaluates the upstream advisory on every ingest cycle; the moment Adobe ships a remediated version, a patched-image rebuild will become available automatically. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and a PR opened against affected workloads with no manual steps required. While waiting for an upstream fix, compensating controls available through HarborGuard include network-policy isolation to restrict which workloads can invoke InDesign Desktop, egress filtering to limit exfiltration paths if exploitation occurs, and feature-flag gating to disable file-open workflows in environments where InDesign processing is non-essential.

See how HarborGuard automates this

Affected packages

Adobe / InDesign Desktop
≤ 20.5.3

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified