Description
Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution in user context
Action: Immediate Patch
AI Analysis

Impact

Substance3D Stager versions 3.1.6 and earlier contain an out-of-bounds read flaw that triggers when the application parses a specially crafted file. The vulnerability allows an attacker to read beyond the bounds of an allocated memory buffer, potentially leading to execution of arbitrary code within the current user’s session. The weakness is classified as CWE-125.

Affected Systems

Adobe’s Substance3D Stager, specifically release 3.1.6 and all earlier versions, is affected. The product is available on macOS and Windows platforms, making any user who installs these older versions at risk if they open a malicious file.

Risk and Exploitability

The CVSS score of 7.8 reflects high severity, while the EPSS score of less than 1% indicates a low probability of widespread exploitation at this time. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Successful exploitation requires user interaction: a victim must launch the Stager application with a maliciously crafted file. Once this occurs, code can execute in the context of the current user, granting significant compromise potential but limited to users who open such files.

Generated by OpenCVE AI on April 17, 2026 at 20:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Substance3D Stager update that addresses the out-of-bounds read flaw.
  • Avoid opening unknown or suspicious files with the Stager application.
  • Employ antivirus or sandbox mechanisms to examine any suspect files before opening them in Stager.

Generated by OpenCVE AI on April 17, 2026 at 20:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Stager
Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe
Adobe substance 3d Stager
Apple
Apple macos
Microsoft
Microsoft windows

Tue, 10 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Stager | Out-of-bounds Read (CWE-125)
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Stager
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T14:44:31.075Z

Reserved: 2025-12-12T22:01:18.200Z

Link: CVE-2026-21343

cve-icon Vulnrichment

Updated: 2026-02-10T18:59:35.062Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T19:15:56.857

Modified: 2026-02-11T17:16:03.557

Link: CVE-2026-21343

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses