CVE-2024-39395 – Adobe InDesign has a NULL pointer dereference v... (How to Fix)

Q: What is the severity of CVE-2024-39395?

CVE-2024-39395 has a CVSS score of 5.5 (MEDIUM). Adobe InDesign has a NULL pointer dereference vulnerability that allows attackers to crash the application by tricking users into opening malicious files. This affects InDesign Desktop versions ID19.4, ID18.5.2 and earlier. The vulnerability results in denial-of-service but requires user interaction to exploit.

📋 TL;DR

Adobe InDesign has a NULL pointer dereference vulnerability that allows attackers to crash the application by tricking users into opening malicious files. This affects InDesign Desktop versions ID19.4, ID18.5.2 and earlier. The vulnerability results in denial-of-service but requires user interaction to exploit.

💻 Affected Systems

Products:

Adobe InDesign Desktop

Versions: ID19.4 and earlier, ID18.5.2 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable.

📦 What is this software?

Indesign by Adobe

View all CVEs affecting Indesign →

Indesign by Adobe

View all CVEs affecting Indesign →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Targeted user opens malicious file causing InDesign to crash, losing unsaved work and disrupting productivity.

🟠

Likely Case

User inadvertently opens crafted file from untrusted source, causing application crash and potential data loss.

🟢

If Mitigated

With proper controls, users avoid opening untrusted files, limiting impact to isolated crashes.

🌐 Internet-Facing: LOW - Exploitation requires user interaction with malicious files, not network exposure.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user to open malicious file; no authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ID19.5 and ID18.5.3

Vendor Advisory: https://helpx.adobe.com/security/products/indesign/apsb24-56.html

Restart Required: Yes

Instructions:

1. Open Adobe Creative Cloud application. 2. Navigate to 'Apps' tab. 3. Find InDesign and click 'Update'. 4. Restart computer after installation completes.

🔧 Temporary Workarounds

Restrict file opening

all

Configure InDesign to only open files from trusted sources using application restrictions.

🧯 If You Can't Patch

Implement application whitelisting to block execution of older InDesign versions.
Educate users to never open InDesign files from untrusted sources.

🔍 How to Verify

Check if Vulnerable:

Check InDesign version via Help > About InDesign. If version is ID19.4 or earlier, or ID18.5.2 or earlier, system is vulnerable.

Check Version:

On Windows: Check via Control Panel > Programs. On macOS: Check via About This Mac > System Report > Applications.

Verify Fix Applied:

Verify version is ID19.5 or later, or ID18.5.3 or later after patching.

📡 Detection & Monitoring

Log Indicators:

Application crash logs from InDesign
Unexpected termination events in system logs

Network Indicators:

None - exploitation is file-based, not network-based

SIEM Query:

EventID=1000 OR EventID=1001 AND SourceName='InDesign' AND Keywords='Application Error'

📊 Metadata

CVE ID: CVE-2024-39395

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: August 14, 2024

Last Updated: August 19, 2024

🔗 References

https://helpx.adobe.com/security/products/indesign/apsb24-56.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39395, you might also want to check these: