CVE-2026-34697 – Adobe InDesign Desktop
“A malicious document can turn a creative workflow into a code execution opportunity.”
Adobe patched multiple vulnerabilities in InDesign Desktop versions 21.3, 20.5.3, and earlier. CVE-2026-34695, CVE-2026-34696, CVE-2026-34697, CVE-2026-34698, CVE-2026-34699, CVE-2026-34700, CVE-2026-34701, and CVE-2026-34702 each have a CVSS score of 7.8, which is High severity. CVE-2026-34703 has a CVSS score of 5.5, which is Medium severity.
The update addresses stack-based buffer overflows, heap-based buffer overflows, use-after-free conditions, out-of-bounds writes, and a NULL pointer dereference vulnerability. Successful exploitation could allow arbitrary code execution in the context of the current user or cause application denial of service. All vulnerabilities require user interaction, as a victim must open a malicious file. No verified exploitation, zero-day activity, or public proof-of-concept activity has been confirmed.
Key Details
- Affected Product
- Adobe Indesign
- Attack Vector
- Local
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- Required
- CWE Classification
- CWE-121