Login Sign Up

CVE-2021-39822

7.8 HIGH
Remote Code Execution

📋 TL;DR

Adobe InDesign has an out-of-bounds write vulnerability in BMP file parsing that allows arbitrary code execution when a user opens a malicious BMP file. This affects users running Adobe InDesign versions 16.3.1 and earlier. Successful exploitation requires user interaction to open a specially crafted BMP file.

💻 Affected Systems

Products:
  • Adobe InDesign
Versions: 16.3 and earlier, 16.3.1 and earlier
Operating Systems: Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable when processing BMP files.

📦 What is this software?

Indesign by Adobe

View all CVEs affecting Indesign →

Indesign by Adobe

View all CVEs affecting Indesign →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to malware installation, data exfiltration, or persistence mechanisms being established on the affected system.

🟢

If Mitigated

Limited impact due to application sandboxing or restricted user privileges, potentially resulting in application crash rather than code execution.

🌐 Internet-Facing: LOW - Exploitation requires user interaction with a malicious file, not network exposure.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction to open malicious BMP file. No public exploit code has been disclosed as of knowledge cutoff.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.3.2 and later

Vendor Advisory: https://helpx.adobe.com/security/products/indesign/apsb21-73.html

Restart Required: Yes

Instructions:

1. Open Adobe InDesign. 2. Go to Help > Updates. 3. Install available updates to version 16.3.2 or later. 4. Restart the application.

🔧 Temporary Workarounds

Block BMP file extensions

all

Prevent InDesign from opening BMP files via file extension blocking

Disable BMP file association

all

Remove BMP file association with Adobe InDesign in operating system settings

🧯 If You Can't Patch

  • Restrict user privileges to standard user accounts (not administrator)
  • Implement application whitelisting to prevent execution of unauthorized code

🔍 How to Verify

Check if Vulnerable:

Check Adobe InDesign version via Help > About InDesign. If version is 16.3.1 or earlier, system is vulnerable.

Check Version:

Not applicable - check via application GUI

Verify Fix Applied:

Verify version is 16.3.2 or later via Help > About InDesign.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when opening BMP files
  • Unusual process creation from InDesign

Network Indicators:

  • Outbound connections from InDesign to unusual destinations

SIEM Query:

Process creation events where parent process is InDesign and command line contains suspicious parameters

📊 Metadata

CVE ID: CVE-2021-39822
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: July 20, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39822, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)