How is CVE-2026-34697 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no remote network access to the service is required. Authentication (not-required): No account or credentials on the target system are needed to trigger the vulnerability. Victim interaction (required): A victim must be socially engineered into opening a malicious file in InDesign Desktop for the overflow to be triggered. Attack complexity (info): The exploit is reliable and condition-free once the victim opens the crafted file; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-34697?

Executes arbitrary code in the context of the logged-in user, giving the attacker the same file-system and process permissions as that user. Reads any files accessible to the current user, including stored credentials, design assets, and sensitive documents. Modifies or deletes files on the host that the current user has write access to. Crashes or destabilizes the InDesign Desktop process, disrupting the user's workflow and any dependent production pipelines.

Back to search

HIGHCVE-2026-34697Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-34697: InDesign Desktop | Stack-based Buffer Overflow (CWE-121)

InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Stack-based buffer overflow in Adobe InDesign Desktop (versions 21.3, 20.5.3 and earlier) allows an attacker to execute arbitrary code on a victim's machine. The vulnerability is local in nature and requires no authentication, but the victim must open a specially crafted malicious file. Successful exploitation gives the attacker full code execution running as the current user, enabling data theft, file tampering, or further system compromise. No fix version has been published yet; HarborGuard tracks the Adobe advisory and will flag a patched-image rebuild the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-34697 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle InDesign Desktop components. Any image found carrying an affected version of InDesign Desktop is flagged immediately in the customer's scan results.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 7.8 (HIGH) and weighting that score against each environment's compliance policy to determine urgency. Triage output, including ownership routing and policy-adjusted priority, is available for delivery to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the Adobe advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. Until then, customers can apply compensating controls such as network-policy isolation or file-type ingestion restrictions through HarborGuard's policy tooling.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no remote network access to the service is required.
AuthenticationNot required
No account or credentials on the target system are needed to trigger the vulnerability.
Victim interactionRequired
A victim must be socially engineered into opening a malicious file in InDesign Desktop for the overflow to be triggered.
Attack complexityDetail
The exploit is reliable and condition-free once the victim opens the crafted file; no race conditions or special environmental factors are required.

Blast Radius

Executes arbitrary code in the context of the logged-in user, giving the attacker the same file-system and process permissions as that user.
Reads any files accessible to the current user, including stored credentials, design assets, and sensitive documents.
Modifies or deletes files on the host that the current user has write access to.
Crashes or destabilizes the InDesign Desktop process, disrupting the user's workflow and any dependent production pipelines.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-34697 is active across all connected registries and CI pipelines, with images carrying affected InDesign Desktop versions (21.3 and 20.5.3 and earlier) surfaced in scan results immediately. Because Adobe has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard re-checks the advisory on every ingest cycle; the moment Adobe publishes a patched release, a rebuilt image will become available, and customers with auto-remediation enabled will receive a rebuild, regression-test run, and a PR opened against affected workloads automatically. In the interim, recommended compensating controls include restricting the ingestion of untrusted InDesign files through file-type policy gates, isolating workloads that process design files using network-policy rules to limit lateral movement if a host is compromised, and alerting on process-spawn anomalies from InDesign Desktop processes within your runtime monitoring policy.

See how HarborGuard automates this

Affected packages

Adobe / InDesign Desktop
≤ 20.5.3

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified