Description
Substance3D - Stager versions 3.1.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-01-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Patch
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in Adobe Substance3D – Stager for versions 3.1.5 and earlier. The flaw allows an attacker to execute code in the context of the current user by exploiting a freed memory region. The defect is classified as CWE‑416 and could lead to arbitrary code execution.

Affected Systems

Adobe Substance3D – Stager versions 3.1.5 and earlier are affected. The product is available on macOS and Windows operating systems, as indicated by the associated CPEs.

Risk and Exploitability

The CVSS score of 7.8 indicates moderate to high severity. EPSS is reported as < 1 %, suggesting low current exploitation probability, and the issue is not listed in the CISA KEV catalog. However, the flaw requires the victim to open a malicious file, so it is a user‑interaction dependent attack that remains significant if users are not cautious.

Generated by OpenCVE AI on April 18, 2026 at 06:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Adobe Substance3D – Stager update that fixes the use‑after‑free flaw, as detailed in the Adobe security advisory.
  • If an update cannot be applied immediately, block or quarantine the existing Substance3D – Stager installation until the patch is available.
  • Educate users to avoid opening unknown or untrusted files in Substance3D – Stager and verify file signatures before opening.

Generated by OpenCVE AI on April 18, 2026 at 06:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Microsoft
Microsoft windows

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Stager
Vendors & Products Adobe
Adobe substance 3d Stager

Tue, 13 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
Description Substance3D - Stager versions 3.1.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Stager | Use After Free (CWE-416)
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Stager
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T15:04:13.722Z

Reserved: 2025-12-12T22:01:18.190Z

Link: CVE-2026-21287

cve-icon Vulnrichment

Updated: 2026-01-14T19:51:57.329Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T20:16:09.283

Modified: 2026-01-14T19:29:14.490

Link: CVE-2026-21287

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:45:23Z

Weaknesses