Description
Substance3D - Painter versions 11.1.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-03-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

Substance3D Painter versions 11.1.2 and earlier contain a NULL Pointer Dereference flaw that can be triggered when the application processes a specially crafted file, causing the program to crash. The crash removes the application from service, resulting in a denial of service scenario for users who rely on it for their workflow. The weakness is classified as CWE‑476 and does not permit code execution but directly impacts availability.

Affected Systems

Adobe Substance3D Painter users running version 11.1.2 or earlier are affected. These versions do not receive the patch that resolves the NULL pointer dereference.

Risk and Exploitability

The vulnerability has a CVSS score of 5.5 and an EPSS score of less than 1%, indicating it is not widely exploited. It is not listed in the CISA KEV catalog. The attack requires user interaction; a victim must open a malicious file crafted to exploit the flaw. Because the vulnerability is limited to local application crashes and does not allow remote code execution, the overall risk profile is moderate but present for environments that handle untrusted files.

Generated by OpenCVE AI on April 17, 2026 at 11:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe Substance3D Painter to a patched version that fixes the NULL pointer dereference.
  • Where an upgrade is not immediately possible, restrict user permissions or sandbox the application so it cannot process untrusted files, thereby reducing the impact of the flaw.
  • Disable or remove the ability to import potentially hazardous file formats that are not required for normal operation, preventing malicious files from reaching the vulnerable code path.

Generated by OpenCVE AI on April 17, 2026 at 11:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_painter:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Painter
Vendors & Products Adobe
Adobe substance 3d Painter

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Substance3D - Painter versions 11.1.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Painter | NULL Pointer Dereference (CWE-476)
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe Substance 3d Painter
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-10T19:12:07.197Z

Reserved: 2025-12-12T22:01:18.207Z

Link: CVE-2026-21363

cve-icon Vulnrichment

Updated: 2026-03-10T19:04:59.968Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T19:17:12.920

Modified: 2026-03-11T20:20:34.980

Link: CVE-2026-21363

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses