CVE-2024-41866 – Adobe InDesign has a NULL pointer dereference v... (How to Fix)

Q: What is the severity of CVE-2024-41866?

CVE-2024-41866 has a CVSS score of 5.5 (MEDIUM). Adobe InDesign has a NULL pointer dereference vulnerability that allows attackers to crash the application by tricking users into opening malicious files. This affects users of InDesign Desktop versions ID19.4, ID18.5.2 and earlier, causing denial of service but no code execution.

📋 TL;DR

Adobe InDesign has a NULL pointer dereference vulnerability that allows attackers to crash the application by tricking users into opening malicious files. This affects users of InDesign Desktop versions ID19.4, ID18.5.2 and earlier, causing denial of service but no code execution.

💻 Affected Systems

Products:

Adobe InDesign Desktop

Versions: ID19.4 and earlier, ID18.5.2 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable

📦 What is this software?

Indesign by Adobe

View all CVEs affecting Indesign →

Indesign by Adobe

View all CVEs affecting Indesign →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to loss of unsaved work and temporary disruption of design workflows

🟠

Likely Case

Application crash requiring restart, potentially causing minor productivity loss

🟢

If Mitigated

No impact if users avoid opening untrusted files or have patched versions

🌐 Internet-Facing: LOW - Requires user interaction with malicious files, not directly network exploitable

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (opening malicious file), making it relatively simple but not automated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ID19.5 and ID18.5.3

Vendor Advisory: https://helpx.adobe.com/security/products/indesign/apsb24-56.html

Restart Required: Yes

Instructions:

1. Open Adobe Creative Cloud application 2. Navigate to 'Apps' tab 3. Find InDesign and click 'Update' 4. Restart computer after installation completes

🔧 Temporary Workarounds

Restrict file opening

all

Configure InDesign to only open trusted files from known sources

Use file validation

all

Implement file validation workflows before opening InDesign files

🧯 If You Can't Patch

Implement strict file handling policies - only open files from trusted sources
Use application sandboxing or virtualization for InDesign when handling untrusted files

🔍 How to Verify

Check if Vulnerable:

Check InDesign version via Help > About InDesign. If version is ID19.4 or earlier, or ID18.5.2 or earlier, you are vulnerable.

Check Version:

On Windows: wmic product where name="Adobe InDesign" get version
On macOS: /Applications/Adobe\ InDesign\ */Adobe\ InDesign.app/Contents/Info.plist | grep -A1 CFBundleShortVersionString

Verify Fix Applied:

Verify version is ID19.5 or later, or ID18.5.3 or later after updating

📡 Detection & Monitoring

Log Indicators:

Application crash logs from InDesign
Unexpected termination events in system logs

Network Indicators:

File downloads followed by InDesign crashes

SIEM Query:

EventID=1000 OR EventID=1001 AND ProcessName="InDesign.exe" OR "Adobe InDesign"

📊 Metadata

CVE ID: CVE-2024-41866

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: August 14, 2024

Last Updated: August 19, 2024

🔗 References

https://helpx.adobe.com/security/products/indesign/apsb24-56.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41866, you might also want to check these: