How is CVE-2026-34701 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no over-the-network access to a listening service is required. Authentication (not-required): No account credentials or prior authentication are needed to deliver the malicious file. Victim interaction (required): A victim must be socially engineered into opening a specially crafted malicious file for the overflow to be triggered. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or other environmental preconditions.

What is the impact of CVE-2026-34701?

An attacker executes arbitrary code in the context of the logged-in user, gaining the same file-system read and write access that user holds. Confidential documents, credentials, or secrets stored in files accessible to the user account are exposed to the attacker. The attacker can modify or delete files owned by the user, including project assets, configuration files, and cached credentials. All processes the user can launch are reachable, meaning the attacker can install persistence mechanisms or pivot to other local resources without further privilege escalation.

Back to search

HIGHCVE-2026-34701Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-34701: InDesign Desktop | Heap-based Buffer Overflow (CWE-122)

InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A heap-based buffer overflow vulnerability affects Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier. The vulnerability is reached locally and requires no authentication, but a victim must open a specially crafted malicious file. Successful exploitation gives an attacker arbitrary code execution running as the current user, enabling full control over files and processes accessible to that account. No fix has been published yet; HarborGuard tracks this advisory and will flag a patched-image rebuild the moment upstream ships a remediated version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle InDesign Desktop components.

Available

Triage

HarborGuard scores this issue at CVSS 7.8 HIGH and is capable of weighting it further against each environment's compliance policy, routing resulting alerts to the team or inbox configured for that customer org.

Available

Patch

Because no upstream fix version exists yet, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Adobe publishes a remediated version. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix lands.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no over-the-network access to a listening service is required.
AuthenticationNot required
No account credentials or prior authentication are needed to deliver the malicious file.
Victim interactionRequired
A victim must be socially engineered into opening a specially crafted malicious file for the overflow to be triggered.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or other environmental preconditions.

Blast Radius

An attacker executes arbitrary code in the context of the logged-in user, gaining the same file-system read and write access that user holds.
Confidential documents, credentials, or secrets stored in files accessible to the user account are exposed to the attacker.
The attacker can modify or delete files owned by the user, including project assets, configuration files, and cached credentials.
All processes the user can launch are reachable, meaning the attacker can install persistence mechanisms or pivot to other local resources without further privilege escalation.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against all customer images on every scan cycle, covering both vendor-supplied and internally built images that include InDesign Desktop. Because Adobe has not yet published a fix, HarborGuard monitors the advisory continuously and will make a patched-image rebuild available the moment a remediated version is released upstream. For customers with auto-remediation enabled, the rebuilt image, regression test run, and PR against affected workloads will be created automatically with no manual steps required. In the interim, compensating controls worth considering include restricting the distribution of InDesign-capable images to only the pipelines that strictly require them, applying file-type filtering at ingress points to block unsolicited document delivery, and enforcing least-privilege user accounts inside containers to limit the blast radius of a successful exploit.

See how HarborGuard automates this

Affected packages

Adobe / InDesign Desktop
≤ 20.5.3

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified