Description
Substance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-01-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Patch
AI Analysis

Impact

An out‑of‑bounds write in Adobe Substance3D Modeler versions 1.22.4 and earlier allows an attacker to execute arbitrary code in the context of the current user. The vulnerability is a classic buffer overflow (CWE‑787) that can be triggered when the affected application processes a specially crafted file. If exploited, the attacker could run malicious code with the privileges of the local user, potentially compromising system integrity and confidentiality.

Affected Systems

Adobe Substance3D Modeler version 1.22.4 and all earlier releases are affected. Users operating any of these versions are exposed to the risk until a patch is applied.

Risk and Exploitability

The CVSS base score of 7.8 classifies the flaw as high severity, however the exploitation probability is very low (EPSS < 1%) and the vulnerability is not listed in CISA’s KEV catalog. Because an attacker must supply a malicious file that the user must open, the risk is limited to environments where users can inadvertently or intentionally open such files. The likely attack vector therefore involves a user manually opening a crafted file via the standard file import workflow or by dragging a file into the application.

Generated by OpenCVE AI on April 18, 2026 at 06:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued update that addresses the out‑of‑bounds write in Substance3D Modeler; install the latest available release or the officially recommended fix.
  • If a patch is not yet available, avoid opening unknown or untrusted files in the affected application; disable automatic file detection and process files through a trusted sandbox or quarantine step.
  • Remove or isolate older, vulnerable installations of Substance3D Modeler to prevent accidental use until the update can be applied.

Generated by OpenCVE AI on April 18, 2026 at 06:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_modeler:*:*:*:*:*:*:*:*

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Modeler
Vendors & Products Adobe
Adobe substance 3d Modeler

Tue, 13 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Description Substance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Modeler | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Modeler
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T15:04:10.758Z

Reserved: 2025-12-12T22:01:18.191Z

Link: CVE-2026-21298

cve-icon Vulnrichment

Updated: 2026-01-13T21:33:22.766Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T21:15:53.307

Modified: 2026-01-14T17:57:53.310

Link: CVE-2026-21298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:30:25Z

Weaknesses