How is CVE-2026-34699 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no over-the-network exposure is required to trigger this vulnerability. Authentication (not-required): No credentials or account of any privilege level are required to carry out the attack. Victim interaction (required): A victim must be socially engineered into opening a malicious file for the overflow to be triggered. Attack complexity (info): The exploit is reliable and condition-free once the victim opens the crafted file; no race conditions or specific memory layout dependencies are noted.

What is the impact of CVE-2026-34699?

Executes arbitrary code at the privilege level of the current user, giving the attacker a foothold on the victim machine. Reads any files, credentials, or secrets accessible to the logged-in user account. Modifies or deletes files and data within the user's access scope, including project files and local configuration. Crashes or destabilizes the InDesign Desktop process, disrupting any dependent publishing or production workflows.

Back to search

HIGHCVE-2026-34699Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-34699: InDesign Desktop | Heap-based Buffer Overflow (CWE-122)

InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Heap-based buffer overflow in Adobe InDesign Desktop (versions 21.3, 20.5.3 and earlier) allows an attacker to execute arbitrary code in the context of the logged-in user. The vulnerability is reached locally and requires no authentication, but a victim must open a specially crafted malicious file for exploitation to succeed. Successful exploitation gives the attacker full code execution, reading, and write access at the privilege level of the current user. No fix version has been published yet; HarborGuard tracks the advisory and will flag a patched rebuild the moment Adobe releases one.

HarborGuard Coverage

Detection

Detection for CVE-2026-34699 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication, including custom-built images that bundle InDesign Desktop or its component libraries. Matching runs continuously across both registry scans and CI/CD pipeline checks, so newly pushed images are covered without manual intervention.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 7.8 (HIGH) and weighting that score against each environment's compliance policy to surface it at the appropriate priority. Triage routing is available to direct findings to the right team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published by Adobe, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, compensating controls such as network-policy isolation for build environments containing InDesign components and feature-flag gating of file-processing pipelines can be surfaced through HarborGuard's policy recommendations.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no over-the-network exposure is required to trigger this vulnerability.
AuthenticationNot required
No credentials or account of any privilege level are required to carry out the attack.
Victim interactionRequired
A victim must be socially engineered into opening a malicious file for the overflow to be triggered.
Attack complexityDetail
The exploit is reliable and condition-free once the victim opens the crafted file; no race conditions or specific memory layout dependencies are noted.

Blast Radius

Executes arbitrary code at the privilege level of the current user, giving the attacker a foothold on the victim machine.
Reads any files, credentials, or secrets accessible to the logged-in user account.
Modifies or deletes files and data within the user's access scope, including project files and local configuration.
Crashes or destabilizes the InDesign Desktop process, disrupting any dependent publishing or production workflows.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-34699 activates immediately upon advisory ingestion, matching against all customer images that include Adobe InDesign Desktop components at or below version 20.5.3. Because Adobe has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard re-evaluates the advisory on every ingest cycle and will make a rebuild available automatically once Adobe ships a patched release; for customers with auto-remediation enabled, that will trigger a rebuild, regression test run, and a PR opened against affected workloads without manual follow-up. While no upstream patch exists, customers can reduce exposure by enforcing network-policy isolation around build environments that process untrusted InDesign files, applying egress filtering to limit lateral movement if a host is compromised, and using feature-flag gating to disable automated file-open pipelines until a fix is available.

See how HarborGuard automates this

Affected packages

Adobe / InDesign Desktop
≤ 20.5.3

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified