Description
Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-01-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Update
AI Analysis

Impact

A NULL Pointer Dereference in Adobe Substance3D Modeler allows an attacker to cause the application to crash, resulting in denial of service. The vulnerability is a classic example of CWE-476, where improper handling of a null reference can be triggered by malformed input. The impact is confined to the application and does not lead to remote code execution or data leakage.

Affected Systems

Adobe Substance3D Modeler versions 1.22.4 and all earlier releases are affected. The issue affects all users running these versions, regardless of operating system, as the vulnerability resides in the core model processing component.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1 percent signals a very low probability of exploitation in active environments, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user to open a malicious file, so the attack vector is primarily user interaction through file opening or attachment handling. Because the attacker must first convince a user to act, the overall risk is considered low to moderate, but the impact of a single occurrence can disrupt workflows and productivity.

Generated by OpenCVE AI on April 18, 2026 at 06:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Substance3D Modeler to a version newer than 1.22.4.
  • Avoid opening files from untrusted or unknown sources.
  • Use application sandboxing or security controls to restrict execution of potentially malicious files.

Generated by OpenCVE AI on April 18, 2026 at 06:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_modeler:*:*:*:*:*:*:*:*

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Modeler
Vendors & Products Adobe
Adobe substance 3d Modeler

Tue, 13 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Description Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Modeler | NULL Pointer Dereference (CWE-476)
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe Substance 3d Modeler
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-01-13T21:44:43.809Z

Reserved: 2025-12-12T22:01:18.191Z

Link: CVE-2026-21301

cve-icon Vulnrichment

Updated: 2026-01-13T21:44:39.891Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T21:15:53.793

Modified: 2026-01-14T17:58:10.387

Link: CVE-2026-21301

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:30:25Z

Weaknesses