Description
Substance3D - Designer versions 15.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-01-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution in the context of the current user
Action: Immediate Patch
AI Analysis

Impact

Substance3D Designer versions 15.0.3 and earlier contain an out‑of‑bounds write flaw that can let an attacker run code with the same privileges as the user who opens a crafted file. The weakness stems from unsafe array handling (CWE‑787) and could compromise confidentiality, integrity, or availability of the system where the application is executed.

Affected Systems

Adobe Substance3D Designer, specifically all releases up to and including 15.0.3. Newer releases beyond 15.0.3 are not affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.8, indicating a high severity if exploited, but the EPSS score is below 1%, suggesting that real‑world exploitation is unlikely at present. The flaw is not listed in CISA’s KEV catalog. It requires user interaction – a victim must open a malicious file – meaning the risk is driven by social engineering or phishing. There are no known public exploits and the failure mode is local to the user context.

Generated by OpenCVE AI on April 18, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Adobe Substance3D Designer update 15.0.4 or newer to eliminate the out‑of‑bounds write flaw.
  • Configure the environment to restrict or monitor the opening of untrusted .sbs files, using antivirus or policy controls, to reduce the chance of a user executing malicious content.
  • Enforce strict least‑privilege execution for the designer, such as running it under a dedicated low‑privilege account or within a sandbox, to contain any potential code execution.

Generated by OpenCVE AI on April 18, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_designer:*:*:*:*:*:*:*:*

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Designer
Vendors & Products Adobe
Adobe substance 3d Designer

Tue, 13 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Description Substance3D - Designer versions 15.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Designer | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Designer
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-01-13T21:31:37.703Z

Reserved: 2025-12-12T22:01:18.192Z

Link: CVE-2026-21307

cve-icon Vulnrichment

Updated: 2026-01-13T21:31:33.938Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T20:16:09.763

Modified: 2026-01-14T17:57:42.960

Link: CVE-2026-21307

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses