Description
Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-01-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Monitor
AI Analysis

Impact

The vulnerability is a NULL Pointer Dereference that causes the Substance3D – Modeler application to crash when it processes a malicious file. The attack leads to a local application denial of service, allowing an adversary to interrupt the user’s workflow but not to compromise the system isolation or data. The weakness is identified as CWE‑476 and is not an information disclosure or privilege escalation flaw.

Affected Systems

Adobe Substance3D – Modeler, versions 1.22.4 and all earlier releases.

Risk and Exploitability

The CVSS base score of 5.5 indicates moderate severity. Exploitation requires user interaction – a victim must open a specially crafted file – and the EPSS score is less than 1 %, implying a very low observation of exploitation in the wild. The issue is not listed in CISA’s KEV catalog. With no network‑based exposure, the risk is limited to affected users who may open malicious assets. The low probability of exploit combined with the moderate impact suggests that vigilance is recommended rather than an immediate mandatory fix.

Generated by OpenCVE AI on April 18, 2026 at 06:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Acquire and install the latest version of Substance3D – Modeler once Adobe releases a patch that removes the null dereference flaw.
  • Restrict access to untrusted or third‑party files by configuring the application or operating system to use a sandbox, thereby preventing malicious files from being executed by the protected environment.
  • Monitor Adobe security advisories and apply any interim countermeasures recommended in future updates, such as stricter file validation or automated scanning of assets before opening.

Generated by OpenCVE AI on April 18, 2026 at 06:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_modeler:*:*:*:*:*:*:*:*

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Modeler
Vendors & Products Adobe
Adobe substance 3d Modeler

Tue, 13 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Description Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Modeler | NULL Pointer Dereference (CWE-476)
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe Substance 3d Modeler
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-01-14T18:52:48.415Z

Reserved: 2025-12-12T22:01:18.191Z

Link: CVE-2026-21300

cve-icon Vulnrichment

Updated: 2026-01-14T18:52:45.526Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T21:15:53.630

Modified: 2026-01-14T17:58:05.290

Link: CVE-2026-21300

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:30:25Z

Weaknesses