Description
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Exposure
Action: Apply Patch
AI Analysis

Impact

An out‑of‑bounds read flaw in Substance3D – Designer allows an attacker to read beyond intended memory bounds. The vulnerability can cause disclosure of sensitive data residing in memory. It stems from an improper bounds check (CWE‑125) and requires that a victim open a crafted file to trigger the read. The impact is the exposure of confidential information but does not directly allow remote code execution.

Affected Systems

Adobe Substance3D – Designer versions 15.1.0 and earlier are vulnerable. Updated versions released after 15.1.0 contain the fix.

Risk and Exploitability

The CVSS base score of 5.5 indicates a moderate severity. EPSS is below 1%, suggesting the likelihood of exploitation is low. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires user interaction, so an attacker must convince a user to open a malicious file; otherwise the flaw cannot be leveraged.

Generated by OpenCVE AI on April 17, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Substance3D – Designer to a version newer than 15.1.0 following the Adobe security advisory.
  • As a temporary measure, restrict or quarantine the opening of unknown or untrusted files that may contain malicious content.
  • Continuously monitor file access logs for anomalous file openings and block suspicious files from the system.

Generated by OpenCVE AI on April 17, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Designer
CPEs cpe:2.3:a:adobe:substance_3d_designer:*:*:*:*:*:*:*:*
Vendors & Products Adobe
Adobe substance 3d Designer

Tue, 10 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Designer | Out-of-bounds Read (CWE-125)
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Adobe Substance 3d Designer
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-10T18:42:31.602Z

Reserved: 2025-12-12T22:01:18.195Z

Link: CVE-2026-21339

cve-icon Vulnrichment

Updated: 2026-02-10T18:42:23.793Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:32.093

Modified: 2026-02-11T17:30:29.150

Link: CVE-2026-21339

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses