Description
Substance3D - Designer versions 15.1.0 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Disclosure
Action: Patch
AI Analysis

Impact

The vulnerability is an out-of-bounds read (CWE-125) in Substance3D Designer versions 15.1.0 and earlier, which can expose arbitrary data stored in memory to an attacker. It allows adversaries to read data beyond a buffer boundary when a malicious file is opened, potentially leaking sensitive information such as credentials or proprietary assets. The impact is primarily confidentiality loss; there is no direct evidence of code execution or denial of service.

Affected Systems

Adobe Substance3D Designer is affected, specifically versions 15.1.0 and earlier. No other vendors or products are listed. Therefore, any installation of the product within that version range is vulnerable.

Risk and Exploitability

The CVSS score is 5.5, indicating moderate severity. The EPSS score is less than 1%, showing that the likelihood of exploitation is low. The vulnerability is not included in the CISA KEV list, suggesting it is not currently being exploited in the wild. Attack requires user interaction to open a malicious file, so the risk is mitigated if users are cautious, but patching remains the recommended action.

Generated by OpenCVE AI on April 17, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Substance3D Designer update that resolves the out-of-bounds read issue (see Adobe APSB26-19).
  • If the current installation is 15.1.0 or earlier, upgrade to the most recent supported release.
  • Limit the opening of unknown or untrusted files by configuring application settings and educating users about safe file handling.
  • Continue monitoring Adobe security advisories for any additional patches or mitigations.

Generated by OpenCVE AI on April 17, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Designer
CPEs cpe:2.3:a:adobe:substance_3d_designer:*:*:*:*:*:*:*:*
Vendors & Products Adobe
Adobe substance 3d Designer

Tue, 10 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Substance3D - Designer versions 15.1.0 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Designer | Out-of-bounds Read (CWE-125)
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Adobe Substance 3d Designer
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-10T18:33:11.397Z

Reserved: 2025-12-12T22:01:18.195Z

Link: CVE-2026-21337

cve-icon Vulnrichment

Updated: 2026-02-10T18:32:45.393Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:31.763

Modified: 2026-02-11T17:30:53.953

Link: CVE-2026-21337

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses