CVE-2026-21275 – Adobe InDesign versions 21.0, 19.5.5 and earlie... (How to Fix)

Q: What is the severity of CVE-2026-21275?

CVE-2026-21275 has a CVSS score of 7.8 (HIGH). Adobe InDesign versions 21.0, 19.5.5 and earlier contain an uninitialized pointer access vulnerability that allows arbitrary code execution when a user opens a malicious file. This affects all users running vulnerable versions of InDesign on their desktop systems.

📋 TL;DR

Adobe InDesign versions 21.0, 19.5.5 and earlier contain an uninitialized pointer access vulnerability that allows arbitrary code execution when a user opens a malicious file. This affects all users running vulnerable versions of InDesign on their desktop systems.

💻 Affected Systems

Products:

Adobe InDesign

Versions: 21.0, 19.5.5 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Indesign by Adobe

View all CVEs affecting Indesign →

Indesign by Adobe

View all CVEs affecting Indesign →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the logged-in user, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malicious document leads to malware installation or credential theft when opened by a user.

🟢

If Mitigated

User opens suspicious file but security controls prevent execution, resulting in application crash only.

🌐 Internet-Facing: LOW - Exploitation requires user interaction with a malicious file, not network exposure.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious documents.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) and knowledge of memory corruption techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to InDesign 21.0.1 or 19.5.6

Vendor Advisory: https://helpx.adobe.com/security/products/indesign/apsb26-02.html

Restart Required: Yes

Instructions:

1. Open Adobe Creative Cloud application. 2. Navigate to Updates section. 3. Install available InDesign updates. 4. Restart computer after installation completes.

🔧 Temporary Workarounds

Restrict InDesign file execution

all

Configure application control to block execution of InDesign files from untrusted sources

User awareness training

all

Train users to only open InDesign files from trusted sources

🧯 If You Can't Patch

Implement application whitelisting to prevent unauthorized InDesign execution
Use email/web gateways to block suspicious InDesign file attachments

🔍 How to Verify

Check if Vulnerable:

Check InDesign version via Help > About InDesign. If version is 21.0, 19.5.5 or earlier, system is vulnerable.

Check Version:

On Windows: Check Add/Remove Programs for Adobe InDesign version. On macOS: Check Applications folder > Adobe InDesign > Get Info.

Verify Fix Applied:

Verify version is 21.0.1 or 19.5.6 after update installation.

📡 Detection & Monitoring

Log Indicators:

Unexpected InDesign crashes
InDesign spawning unusual child processes
InDesign accessing suspicious files

Network Indicators:

InDesign making unexpected outbound connections after file open

SIEM Query:

process_name:"InDesign.exe" AND (event_type:crash OR parent_process:unusual)

📊 Metadata

CVE ID: CVE-2026-21275

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-824

EPSS Score: 0.03% exploit probability (7.9th percentile)

Published: January 13, 2026

Last Updated: January 14, 2026

🔗 References

https://helpx.adobe.com/security/products/indesign/apsb26-02.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21275, you might also want to check these: