Description
Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

Substance3D - Stager versions 3.1.6 and earlier contain an out‑of‑bounds read flaw that occurs when the software parses a specially crafted file. This bug can read memory past the end of a buffer and, if an attacker can control the file content, can be leveraged to execute arbitrary code in the context of the user opening the file.

Affected Systems

The vulnerability affects Adobe Substance3D – Stager, specifically all releases up to and including 3.1.6. Software may run on macOS or Windows platforms, as those operating systems are included in the affected product list.

Risk and Exploitability

The issue scores a CVSS score of 7.8, indicating a high impact potential, but its EPSS score is below 1%, suggesting a very low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires user interaction: the attacker must craft a malicious file and convince a user to open it. With such user action, code could be executed with the privileges of the current user.

Generated by OpenCVE AI on April 17, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Substance3D – Stager to the latest version that removes the out‑of‑bounds read flaw.
  • Avoid opening files from untrusted or unknown sources, especially files received via email or downloaded from the internet.
  • Keep the operating system and all related software up to date, applying security patches that may mitigate related memory‑handling issues.

Generated by OpenCVE AI on April 17, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Stager
Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe
Adobe substance 3d Stager
Apple
Apple macos
Microsoft
Microsoft windows

Tue, 10 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Stager | Out-of-bounds Read (CWE-125)
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Stager
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T14:44:30.786Z

Reserved: 2025-12-12T22:01:18.200Z

Link: CVE-2026-21344

cve-icon Vulnrichment

Updated: 2026-02-25T15:42:07.691Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T19:15:57.190

Modified: 2026-02-11T17:15:39.107

Link: CVE-2026-21344

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses