CVE-2026-34696: InDesign Desktop | Use After Free (CWE-416)
InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability affects Adobe InDesign Desktop versions 21.3, 20.5.3, and earlier. The flaw is triggered locally when a user opens a specially crafted file, requiring no special account privileges. Successful exploitation gives an attacker arbitrary code execution running as the current user. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as Adobe publishes a fix.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle InDesign Desktop or its dependencies. Any image containing an affected version is flagged immediately in the pipeline.
AvailableHarborGuard scores this CVE at 7.8 HIGH using the published CVSS v3.1 vector, and that score is weighted against each customer organization's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within each customer org based on configured policy rules.
AvailableNo fix version has been published by Adobe for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
- AuthenticationNot required
No account credentials or prior authentication are needed to deliver the malicious file to the victim.
- Victim interactionRequired
The victim must open a malicious file, making this a social-engineering vector that requires user action to trigger the vulnerability.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental prerequisites beyond the victim opening the file.
Blast Radius
- Executes arbitrary code in the context of the current user, giving the attacker full control of any process the user can run.
- Reads files and data the current user has access to, including documents, credentials stored on disk, and session material.
- Writes or modifies files within the current user's permissions, enabling persistence mechanisms or data tampering.
- Crashes or destabilizes the InDesign Desktop process, disrupting the user's working environment.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively monitored across all customer image scans, with detection firing immediately on any image containing InDesign Desktop at or below version 20.5.3. Because Adobe has not yet published a fix, no patched rebuild is available at this time. HarborGuard re-evaluates the upstream advisory on every ingest cycle and will trigger the rebuild-and-PR flow automatically for customers with auto-remediation enabled the moment a fix version is released. In the interim, compensating controls worth considering include restricting the distribution of untrusted InDesign files through network-policy isolation on workstations, applying egress filtering to limit what a compromised InDesign process can reach, and, where workflows permit, disabling automatic file-open actions in document-sharing pipelines.
- Adobe / InDesign Desktop≤ 20.5.3
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H