Description
Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Patch
AI Analysis

Impact

Substance3D Stager contains an out‑of‑bounds write (CWE‑787) that, if triggered, can allow an attacker to execute arbitrary code with the privileges of the user who opens a crafted file. The vulnerability is triggered only when the target user opens a malicious file; thus, it is a user‑interaction required flaw that can compromise confidentiality, integrity, and availability of the victim’s system.

Affected Systems

Adobe Substances3D Stager versions 3.1.6 and earlier are susceptible. The affected product runs on both Windows and macOS platforms, as indicated by the provided CPE identifiers.

Risk and Exploitability

The CVSS score of 7.8 reflects a moderate‑to‑high risk; the EPSS score is below 1 %, indicating a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack surface requires the victim to open a malicious file, so remote exploitation is not possible under normal conditions.

Generated by OpenCVE AI on April 17, 2026 at 20:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Adobe Substance3D Stager update that eliminates the out‑of‑bounds write flaw.
  • Avoid opening or executing documents from untrusted or unknown sources.
  • Apply application sandboxing or quarantine policies to limit the execution of potentially compromised files.

Generated by OpenCVE AI on April 17, 2026 at 20:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Stager
Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe
Adobe substance 3d Stager
Apple
Apple macos
Microsoft
Microsoft windows

Tue, 10 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Stager | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Stager
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T14:44:31.356Z

Reserved: 2025-12-12T22:01:18.196Z

Link: CVE-2026-21341

cve-icon Vulnrichment

Updated: 2026-02-10T19:04:39.723Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T19:15:55.267

Modified: 2026-02-11T16:40:15.260

Link: CVE-2026-21341

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses