Description
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

An out‑of‑bounds write in Adobe Substance3D Designer versions 15.1.0 and earlier allows an attacker to trigger arbitrary code execution when a user opens a crafted file. The flaw is a classic memory corruption issue identified as CWE‑787. If exploited, the malicious code runs with the privileges of the user who opens the file.

Affected Systems

Adobe Substance3D Designer (Designer version 15.1.0 and any earlier releases).

Risk and Exploitability

With a CVSS score of 7.8, this vulnerability is considered high severity. However, its EPSS score is below 1 %, indicating low current exploitation likelihood. The vulnerability is not listed in CISA KEV. Exploitation requires user interaction to open a malicious file, so threat actors would need to persuade or trick a user into opening the file. If successfully exploited, code could run with the user’s rights, potentially allowing data exfiltration or privilege escalation within the user’s session.

Generated by OpenCVE AI on April 17, 2026 at 20:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Adobe Substance3D Designer update that addresses the out‑of‑bounds write (see Adobe advisory).
  • Restrict users from opening unknown or untrusted files; use file quarantine or digital signatures to block malicious files.
  • Run a comprehensive antivirus scan on the system and monitor for any suspicious activity following the upgrade.

Generated by OpenCVE AI on April 17, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Designer
CPEs cpe:2.3:a:adobe:substance_3d_designer:*:*:*:*:*:*:*:*
Vendors & Products Adobe
Adobe substance 3d Designer

Tue, 10 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Designer | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Designer
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T14:44:32.666Z

Reserved: 2025-12-12T22:01:18.195Z

Link: CVE-2026-21334

cve-icon Vulnrichment

Updated: 2026-02-10T18:44:56.136Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:31.303

Modified: 2026-02-11T17:31:30.870

Link: CVE-2026-21334

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses