Description
Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-01-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Exposure via Out-of-bounds Read
Action: Apply Patch
AI Analysis

Impact

An out-of-bounds read flaw in Adobe Substance3D Modeler allows a malicious file to expose data stored in memory, potentially leaking sensitive information. The vulnerability is a classic stable memory read error (CWE-125) that does not grant execution privileges but can reveal confidential data to the attacker. Exploitation requires the victim to open a crafted file, so it depends on user interaction rather than a network-based attack vector.

Affected Systems

Adobe Substance3D Modeler, versions 1.22.4 and earlier are vulnerable. The affected build range extends from the initial release through 1.22.4; no statement is made about newer releases.

Risk and Exploitability

The CVSS base score of 5.5 places the vulnerability in the moderate category, yet the EPSS score of less than 1% indicates a very low likelihood of real-world exploitation. Because the flaw requires the victim to open a maliciously crafted file, it is a user-dependent attack vector. The vulnerability is not listed in CISA’s KEV catalog, reducing the expectation of actively exploited instances. Nonetheless, unpatched systems remain susceptible to accidental or targeted exploitation via social engineering or malicious content distribution.

Generated by OpenCVE AI on April 18, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe Substance3D Modeler to the latest available version when the vendor releases the fix.
  • If an upgrade is not immediately possible, limit the acceptance of unknown or suspicious 3D files and enforce strict file-sandboxing policies.
  • Consider disabling or restricting user access to file import functions until a patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 15 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_modeler:*:*:*:*:*:*:*:*

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Modeler
Vendors & Products Adobe
Adobe substance 3d Modeler

Tue, 13 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Description Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Modeler | Out-of-bounds Read (CWE-125)
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Adobe Substance 3d Modeler
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-01-14T18:52:30.126Z

Reserved: 2025-12-12T22:01:18.192Z

Link: CVE-2026-21303

cve-icon Vulnrichment

Updated: 2026-01-14T18:52:26.422Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T21:15:54.117

Modified: 2026-01-14T17:58:17.503

Link: CVE-2026-21303

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses