CVE-2026-21278 – Adobe InDesign versions 21.0, 19.5.5 and earlie... (How to Fix)

Q: What is the severity of CVE-2026-21278?

CVE-2026-21278 has a CVSS score of 5.5 (MEDIUM). Adobe InDesign versions 21.0, 19.5.5 and earlier contain an out-of-bounds read vulnerability that could allow attackers to access sensitive information from memory. Users who open malicious InDesign files are affected, potentially exposing confidential data stored in application memory.

📋 TL;DR

Adobe InDesign versions 21.0, 19.5.5 and earlier contain an out-of-bounds read vulnerability that could allow attackers to access sensitive information from memory. Users who open malicious InDesign files are affected, potentially exposing confidential data stored in application memory.

💻 Affected Systems

Products:

Adobe InDesign Desktop

Versions: 21.0, 19.5.5 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable when opening files

📦 What is this software?

Indesign by Adobe

View all CVEs affecting Indesign →

Indesign by Adobe

View all CVEs affecting Indesign →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains access to sensitive information like passwords, encryption keys, or proprietary data stored in InDesign's memory space

🟠

Likely Case

Information disclosure of application data or system memory contents, potentially including user data or system information

🟢

If Mitigated

Limited impact with proper file handling policies and user awareness training

🌐 Internet-Facing: LOW - Requires user interaction with malicious files, not directly exploitable over network

🏢 Internal Only: MEDIUM - Internal users could be targeted via email attachments or shared drives

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (opening malicious file) and knowledge of memory layout

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to version 21.0.1 or later, or 19.5.6 or later

Vendor Advisory: https://helpx.adobe.com/security/products/indesign/apsb26-02.html

Restart Required: Yes

Instructions:

1. Open Adobe Creative Cloud application 2. Navigate to 'Apps' tab 3. Find InDesign and click 'Update' 4. Restart computer after installation completes

🔧 Temporary Workarounds

Restrict file opening

all

Configure application control policies to restrict opening of InDesign files from untrusted sources

User awareness training

all

Train users to only open InDesign files from trusted sources and verify file integrity

🧯 If You Can't Patch

Implement application whitelisting to block execution of vulnerable InDesign versions
Deploy email filtering and web gateways to block malicious InDesign file attachments

🔍 How to Verify

Check if Vulnerable:

Check InDesign version via Help > About InDesign menu

Check Version:

On Windows: wmic product where name="Adobe InDesign" get version
On macOS: /Applications/Adobe\ InDesign\ */Adobe\ InDesign.app/Contents/MacOS/Adobe\ InDesign -v

Verify Fix Applied:

Verify version is 21.0.1 or later, or 19.5.6 or later

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory access violations
Unexpected file opening events in InDesign

Network Indicators:

Inbound malicious file transfers via email or web

SIEM Query:

source="*indesign*" AND (event_type="crash" OR event_type="file_open") AND file_extension="indd"

📊 Metadata

CVE ID: CVE-2026-21278

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-125

EPSS Score: 0.03% exploit probability (6.3th percentile)

Published: January 13, 2026

Last Updated: January 14, 2026

🔗 References

https://helpx.adobe.com/security/products/indesign/apsb26-02.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21278, you might also want to check these: