Description
Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-01-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Disclosure
Action: Update Software
AI Analysis

Impact

This vulnerability allows an out‑of‑bounds read in Adobe Substance3D Modeler, enabling an attacker to read arbitrary memory contents and potentially expose sensitive data. The weakness (CWE‑125) can lead to disclosure of confidential information when a user opens a malicious file. The impact is limited to memory exposure and data leakage.

Affected Systems

Adobe’s Substance3D Modeler, versions 1.22.4 and earlier, are affected. Users running these releases should be aware that the issue exists in all prior versions and will be fixed in later releases.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. EPSS is below 1 %, suggesting a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires user interaction: the attacker must deliver and have the victim open a crafted file, which limits the attack vector to near‑local scenarios.

Generated by OpenCVE AI on April 18, 2026 at 06:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of Substance3D Modeler that incorporates the Adobe patch for CVE‑2026‑21302.
  • If an immediate upgrade is not possible, avoid opening or executing suspicious or unknown files, and consider using a sandbox or virtual environment.
  • Regularly check Adobe’s security advisories and apply any future updates promptly.

Generated by OpenCVE AI on April 18, 2026 at 06:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_modeler:*:*:*:*:*:*:*:*

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Modeler
Vendors & Products Adobe
Adobe substance 3d Modeler

Tue, 13 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Description Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Modeler | Out-of-bounds Read (CWE-125)
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Adobe Substance 3d Modeler
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-01-14T18:53:08.207Z

Reserved: 2025-12-12T22:01:18.191Z

Link: CVE-2026-21302

cve-icon Vulnrichment

Updated: 2026-01-14T18:53:05.660Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T21:15:53.960

Modified: 2026-01-14T17:58:14.300

Link: CVE-2026-21302

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:45:23Z

Weaknesses