Description
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

Substance3D Designer versions 15.1.0 and earlier contain an out‑of‑bounds write that corrupts memory when processing a malicious file, which can be leveraged to run arbitrary code in the current user’s context. This bug is a classic buffer overflow scenario that may allow an attacker to compromise the operating system or execute subsequent attacks. The effect is therefore the ability to execute malicious code with the user’s privileges.

Affected Systems

Adobe Substance3D Designer is the affected product; only releases 15.1.0 and earlier are susceptible. Users should verify whether they are running a vulnerable version.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the EPSS score of less than 1 % suggests a very low probability of exploitation at present. Because the vulnerability requires the victim to open a specially crafted file, it is most often delivered via phishing emails or compromised downloads, which means that social engineering is the main attack vector. Although not listed in the CISA KEV database, the potential damage from successful exploitation is severe, so the overall risk remains moderate to high depending on user behavior and protection controls.

Generated by OpenCVE AI on April 17, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Substance3D Designer update that includes the CVE‑2026‑21335 fix, which adds proper bounds checking during file parsing.
  • Disable auto‑open features for external files and require explicit user confirmation before opening any untrusted documents.
  • Conduct user awareness training to avoid opening unknown files and to verify file authenticity before execution.

Generated by OpenCVE AI on April 17, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Designer
CPEs cpe:2.3:a:adobe:substance_3d_designer:*:*:*:*:*:*:*:*
Vendors & Products Adobe
Adobe substance 3d Designer

Tue, 10 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Designer | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Designer
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T14:44:32.361Z

Reserved: 2025-12-12T22:01:18.195Z

Link: CVE-2026-21335

cve-icon Vulnrichment

Updated: 2026-02-10T18:40:38.364Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:31.457

Modified: 2026-02-11T17:31:16.753

Link: CVE-2026-21335

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses