Description
Substance3D - Designer versions 15.0.3 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-01-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds read that can expose memory contents
Action: Assess Impact
AI Analysis

Impact

Substance3D - Designer versions 15.0.3 and earlier are vulnerable to an out‑of‑bounds read that may expose arbitrary memory contents. The flaw occurs when the program accesses data beyond the bounds of a buffer, classified as CWE‑125, and could allow an attacker to leak sensitive information such as credentials or cryptographic material. The attack requires a user to open a malicious file, so it is a local, user‑initiated threat rather than a remote exploit.

Affected Systems

Adobe Substance3D - Designer installations running version 15.0.3 or earlier are affected.

Risk and Exploitability

Risk is moderate. The CVSS score of 5.5 indicates a medium impact restricted to memory disclosure, while an EPSS of less than 1% suggests exploitation attempts are uncommon. The vulnerability is not listed in CISA KEV, implying no widespread exploitation. Attackers must prompt a user to open a malicious file, limiting the attack surface to individuals who interact with the file. The limited exposure scope reduces the probability of successful exploitation compared to remote vulnerabilities, but the confidentiality impact remains non‑negligible.

Generated by OpenCVE AI on April 18, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Substance3D Designer update or patch when available.
  • Limit file opening to known safe formats or enforce a strict file‑type whitelist for user authentication.
  • Scan files with up‑to‑date antivirus and anti‑malware tools before allowing them to be opened.

Generated by OpenCVE AI on April 18, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_designer:*:*:*:*:*:*:*:*

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Designer
Vendors & Products Adobe
Adobe substance 3d Designer

Tue, 13 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Description Substance3D - Designer versions 15.0.3 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Designer | Out-of-bounds Read (CWE-125)
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Adobe Substance 3d Designer
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-01-13T21:47:08.206Z

Reserved: 2025-12-12T22:01:18.192Z

Link: CVE-2026-21308

cve-icon Vulnrichment

Updated: 2026-01-13T21:47:05.642Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T20:16:09.927

Modified: 2026-01-14T17:57:49.533

Link: CVE-2026-21308

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses