Description
Substance3D - Designer versions 15.1.0 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

This vulnerability is a NULL pointer dereference inside Adobe Substance3D Designer. When triggered, the application dereferences a null pointer and crashes, resulting in an immediate denial of service to anyone using that instance. The weakness is a classic null pointer error (CWE‑476) and threatens only the local application, not the underlying operating system or other network services.

Affected Systems

Adobe Substance3D Designer versions 15.1.0 and earlier are affected. The issue appears in all installations of these versions, regardless of operating system or deployment environment, because the flaw is located in the core file‑processing routine.

Risk and Exploitability

The CVSS score of 5.5 places this as a medium severity issue, while the EPSS score of less than 1% indicates a very low likelihood of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. An attacker must first craft a malicious Designer file and convince a victim to open it; remote exploitation is not possible. Because the flaw requires user interaction, the risk is contained to environments where users download or receive Designer files from untrusted sources.

Generated by OpenCVE AI on April 17, 2026 at 20:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Adobe Substance3D Designer update that contains the null‑pointer fix.
  • Block or whitelist Designer files so that only signed or trusted files are opened in the application.
  • Educate users about the danger of opening unknown Designer files and enforce strict file‑type policies.

Generated by OpenCVE AI on April 17, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Designer
CPEs cpe:2.3:a:adobe:substance_3d_designer:*:*:*:*:*:*:*:*
Vendors & Products Adobe
Adobe substance 3d Designer

Tue, 10 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Substance3D - Designer versions 15.1.0 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Designer | NULL Pointer Dereference (CWE-476)
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe Substance 3d Designer
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-10T18:51:01.794Z

Reserved: 2025-12-12T22:01:18.195Z

Link: CVE-2026-21338

cve-icon Vulnrichment

Updated: 2026-02-10T18:50:58.565Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:31.933

Modified: 2026-02-11T17:30:42.657

Link: CVE-2026-21338

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses