Description
Substance3D - Designer versions 15.1.0 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial-of-Service
Action: Upgrade
AI Analysis

Impact

Substance3D Designer versions 15.1.0 and earlier contain a null pointer dereference that can be triggered by opening a crafted file. When the vulnerability is abused, the application crashes, resulting in a denial of service that disrupts user productivity and any services that rely on the software. The weakness is identified as a null pointer dereference (CWE-476).

Affected Systems

The affected product is Adobe Substance3D Designer, specifically all releases up to and including version 15.1.0. Users running any earlier build are exposed to the flaw.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate risk, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, indicating no known large‑scale exploitation. Exploitation requires a user to open a malicious file, so the attack vector is user-interaction dependent, typically local. Organizations should assess the likelihood of users handling untrusted assets before prioritizing remediation.

Generated by OpenCVE AI on April 17, 2026 at 20:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of Substance3D Designer that is newer than 15.1.0 to eliminate the vulnerability.
  • If an immediate upgrade is not possible, avoid opening untrusted or unknown files and use content filtering or antivirus scans to detect malicious files before they are opened.
  • Apply the principle of least privilege to restrict users who can open and execute files within the application, and monitor for application crashes to respond quickly.

Generated by OpenCVE AI on April 17, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Designer
CPEs cpe:2.3:a:adobe:substance_3d_designer:*:*:*:*:*:*:*:*
Vendors & Products Adobe
Adobe substance 3d Designer

Tue, 10 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Substance3D - Designer versions 15.1.0 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Designer | NULL Pointer Dereference (CWE-476)
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe Substance 3d Designer
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-10T18:58:22.542Z

Reserved: 2025-12-12T22:01:18.195Z

Link: CVE-2026-21336

cve-icon Vulnrichment

Updated: 2026-02-10T18:58:18.352Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:31.603

Modified: 2026-02-11T17:31:03.997

Link: CVE-2026-21336

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses