Description
Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Apply Patch
AI Analysis

Impact

Substance3D – Stager versions 3.1.6 and earlier suffer from an out‑of‑bounds write that lets a maliciously crafted file corrupt memory and spawn arbitrary code execution in the context of the current user. The flaw is a classic buffer overflow (CWE‑787). Based on the description, a successful exploit would run code as the user who opens the file without requiring additional privileges.

Affected Systems

Adobe’s Substance3D – Stager is the sole vendor identified. The vulnerability exists in all released builds up to and including version 3.1.6. The product runs on both macOS and Windows, as indicated by the CPE entries for those operating systems. All installations of the affected versions are therefore vulnerable until patched.

Risk and Exploitability

The vulnerability has a CVSS score of 7.8, indicating a high severity level. The EPSS score is <1%, indicating a very low probability of exploitation at the current time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires user interaction – an end user must open a specially crafted file. Once processed, the out‑of‑bounds write can be leveraged to gain arbitrary code execution in the user’s context, which could compromise the host process if the user has administrative rights.

Generated by OpenCVE AI on April 18, 2026 at 19:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available Adobe patch or update to Substance3D – Stager.
  • Avoid opening untrusted files in Substance3D – Stager. Consider implementing a file integrity or signature check before allowing the application to process a file.
  • If an update cannot be applied immediately, restrict the execution of the application’s file processing features through application control or sandboxing to limit the impact of a potential exploit.

Generated by OpenCVE AI on April 18, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Stager
Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe
Adobe substance 3d Stager
Apple
Apple macos
Microsoft
Microsoft windows

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Stager | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Stager
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T14:44:31.961Z

Reserved: 2025-12-12T22:01:18.196Z

Link: CVE-2026-21342

cve-icon Vulnrichment

Updated: 2026-02-10T20:11:09.480Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T19:15:56.613

Modified: 2026-02-11T16:40:22.233

Link: CVE-2026-21342

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:45:08Z

Weaknesses