Description
Substance3D - Painter versions 11.1.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-03-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

A NULL pointer dereference in Substance3D – Painter allows an attacker to crash the application, causing a denial of service. This flaw is classified as CWE‑476: Null Pointer Dereference and can be triggered when the program processes a specially crafted file. The impact is local to the affected instance, resulting in an unresponsive application but not to system compromise.

Affected Systems

Adobe’s Substance3D Painter versions 11.1.2 and earlier are vulnerable. The affected product is Adobe Substance3D Painter for desktop; the CPE reflects adobe:substance_3d_painter. Users running these releases are exposed if they open malicious or malformed files.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% shows a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, indicating no public exploits are known. Attackers must deliver a malicious file and obtain user interaction to trigger the crash, so the attack vector is local file-based.

Generated by OpenCVE AI on April 16, 2026 at 09:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Adobe patch or upgrade Substance3D Painter to a version newer than 11.1.2
  • Avoid opening unknown or suspicious files from untrusted sources
  • Use antivirus or file‑validation tools to reject malformed or unsupported files before processing

Generated by OpenCVE AI on April 16, 2026 at 09:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_painter:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Painter
Vendors & Products Adobe
Adobe substance 3d Painter

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Substance3D - Painter versions 11.1.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Painter | NULL Pointer Dereference (CWE-476)
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe Substance 3d Painter
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-10T19:12:06.670Z

Reserved: 2025-12-12T22:01:18.207Z

Link: CVE-2026-21364

cve-icon Vulnrichment

Updated: 2026-03-10T19:04:51.943Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T19:17:13.127

Modified: 2026-03-11T20:20:12.833

Link: CVE-2026-21364

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses