How is CVE-2026-34698 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no over-the-network access to the service is required. Authentication (not-required): No account or credentials are required to deliver the malicious file payload. Victim interaction (required): The victim must be socially engineered into opening a malicious InDesign file for the overflow to be triggered. Attack complexity (info): Exploit reliability is high and no special environmental conditions, race conditions, or memory-layout dependencies are required.

What is the impact of CVE-2026-34698?

Attacker executes arbitrary code in the context of the logged-in user, gaining access to everything that user can access on the host. Reads files, stored credentials, session tokens, and any documents open or accessible under the current user profile. Writes or modifies files owned by the current user, including documents, configuration files, and local application data. Crashes InDesign Desktop or destabilizes the host process, disrupting the user's active work session.

Back to search

HIGHCVE-2026-34698Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-34698: InDesign Desktop | Heap-based Buffer Overflow (CWE-122)

InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Heap-based buffer overflow in Adobe InDesign Desktop (versions 21.3, 20.5.3 and earlier) allows an attacker to execute arbitrary code by convincing a victim to open a specially crafted file. The vulnerability is local in nature and requires no prior authentication, but does depend on a user opening a malicious document. Successful exploitation gives the attacker full code execution running as the current user, enabling complete access to that user's files, credentials, and system resources. No fix version has been published yet; HarborGuard tracks the upstream advisory and will flag patch availability as soon as Adobe releases one.

HarborGuard Coverage

Detection

Detection for CVE-2026-34698 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle InDesign Desktop components.

Available

Triage

HarborGuard scores this CVE at 7.8 HIGH (CVSS v3.1) and is capable of weighting that score against each customer environment's compliance policy to prioritize routing; triage findings are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Adobe advisory on every ingest cycle and will make a patched-image rebuild available to customer environments the moment a fix version is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no over-the-network access to the service is required.
AuthenticationNot required
No account or credentials are required to deliver the malicious file payload.
Victim interactionRequired
The victim must be socially engineered into opening a malicious InDesign file for the overflow to be triggered.
Attack complexityDetail
Exploit reliability is high and no special environmental conditions, race conditions, or memory-layout dependencies are required.

Blast Radius

Attacker executes arbitrary code in the context of the logged-in user, gaining access to everything that user can access on the host.
Reads files, stored credentials, session tokens, and any documents open or accessible under the current user profile.
Writes or modifies files owned by the current user, including documents, configuration files, and local application data.
Crashes InDesign Desktop or destabilizes the host process, disrupting the user's active work session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-34698 is active across all connected customer environments and will surface any image containing an affected version of InDesign Desktop components. Because Adobe has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard re-evaluates the upstream advisory on every ingest cycle; the moment a fix version is published, a patched-image rebuild will become available, and customers with auto-remediation enabled will receive an automatic rebuild, regression test run, and PR opened against affected workloads. In the interim, compensating controls worth considering include restricting the ability to open untrusted InDesign files in affected environments, applying egress filtering to limit what a compromised process can reach, and using OS-level sandboxing or least-privilege user accounts to reduce the blast radius if a malicious file is opened.

See how HarborGuard automates this

Affected packages

Adobe / InDesign Desktop
≤ 20.5.3

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified