How is CVE-2026-48293 exploited?

Network reachability (not-required): The attacker does not need network access; the exploit is delivered through a malicious file opened locally on the victim's machine. Authentication (not-required): No account or credentials are required to exploit this vulnerability; the attacker only needs to get the victim to open a crafted file. Victim interaction (required): The victim must actively open a malicious file, making social engineering (phishing, drive-by download, or similar) a necessary part of the attack chain. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-48293?

Executes arbitrary code in the context of the logged-in user, giving the attacker full control over any process the user can run. Reads files and data accessible to the current user account, including documents, credentials cached on disk, and session tokens. Modifies or deletes files within the current user's permissions, including tampering with application data or dropping persistent malware. Crashes or destabilizes the InDesign Desktop process and any dependent workflows, disrupting productivity or automated publishing pipelines.

Back to search

HIGHCVE-2026-48293Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-48293: InDesign Desktop | Out-of-bounds Write (CWE-787)

InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Out-of-bounds write vulnerability in Adobe InDesign Desktop (versions 21.3, 20.5.3 and earlier) allows an attacker to write data beyond the boundaries of an allocated memory buffer. The attack is local in delivery and requires no privileges, but the victim must open a specially crafted malicious file. Successful exploitation gives the attacker arbitrary code execution running under the current user's account. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Adobe publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images and pipeline artifacts, including custom-built images that bundle InDesign Desktop components.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 7.8 (HIGH) and weighting it against each customer environment's compliance policy, then routing the finding to the appropriate team inbox within that organization.

Available

Patch

No fix version has been published by Adobe. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released; for customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker does not need network access; the exploit is delivered through a malicious file opened locally on the victim's machine.
AuthenticationNot required
No account or credentials are required to exploit this vulnerability; the attacker only needs to get the victim to open a crafted file.
Victim interactionRequired
The victim must actively open a malicious file, making social engineering (phishing, drive-by download, or similar) a necessary part of the attack chain.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

Executes arbitrary code in the context of the logged-in user, giving the attacker full control over any process the user can run.
Reads files and data accessible to the current user account, including documents, credentials cached on disk, and session tokens.
Modifies or deletes files within the current user's permissions, including tampering with application data or dropping persistent malware.
Crashes or destabilizes the InDesign Desktop process and any dependent workflows, disrupting productivity or automated publishing pipelines.

How HarborGuard Handles This

Available on HarborGuard: because Adobe has not yet published a fix for this vulnerability, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will immediately trigger a regression test run and a PR opened against affected workloads. In the interim, compensating controls are worth considering: network-policy isolation to restrict file-sharing paths that could deliver malicious documents, egress filtering on systems running InDesign Desktop to limit post-exploitation reach, and where operationally feasible, gating the opening of externally sourced InDesign files behind a sandboxed review environment. HarborGuard will update this record and trigger re-evaluation of affected images as soon as Adobe publishes a patched version.

See how HarborGuard automates this

Affected packages

Adobe / InDesign Desktop
≤ 20.5.3

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified