Description
Substance3D - Painter versions 11.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-01-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution in the context of the current user
Action: Immediate Patch
AI Analysis

Impact

An out‑of‑bounds write flaw in Adobe Substance3D Painter allows an attacker to overwrite memory, leading to arbitrary code execution under the victim’s user account. The vulnerability is triggered when the application processes a specially crafted file; no elevated privileges or additional access is required. The impact is confined to the user who opens the malicious file and could result in system compromise.

Affected Systems

Adobe Substance3D Painter versions 11.0.3 and earlier are affected. Users running these releases should verify their installed version against the vendor’s release notes. Production systems using these or earlier builds are susceptible.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, while the EPSS score of less than 1% suggests a low exploitation probability at the current time. The vulnerability is not listed in the CISA KEV catalog. Exfiltration requires a user to open a crafted file, so the attack vector is local and user‑initiated. An attacker must exploit the application to execute code, making exploitation feasible but dependent on user interaction.

Generated by OpenCVE AI on April 18, 2026 at 06:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Substance3D Painter update, which removes the out‑of‑bounds write flaw.
  • If an update is not immediately available, disable automatic file association for *.sbs files and require manual user confirmation before opening them.
  • Educate users to avoid opening unknown or unsolicited Substance3D files and maintain up‑to‑date antivirus protection.

Generated by OpenCVE AI on April 18, 2026 at 06:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_painter:*:*:*:*:*:*:*:*

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Painter
Vendors & Products Adobe
Adobe substance 3d Painter

Tue, 13 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Description Substance3D - Painter versions 11.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Painter | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Painter
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T15:04:14.014Z

Reserved: 2025-12-12T22:01:18.192Z

Link: CVE-2026-21305

cve-icon Vulnrichment

Updated: 2026-01-13T19:52:54.819Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T20:16:09.443

Modified: 2026-01-14T17:57:27.897

Link: CVE-2026-21305

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:45:23Z

Weaknesses