Description
Substance3D - Painter versions 11.1.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-03-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Exposure – Sensitive Information Disclosure
Action: Monitor
AI Analysis

Impact

Substance3D Painter versions 11.1.2 and older contain an out‑of‑bounds read that allows a malicious file opened by a user to expose internal memory contents and potentially reveal confidential data. The flaw is classified as CWE‑125. This vulnerability enables an attacker to read beyond the allocated buffer and capture sensitive information from the victim’s process memory.

Affected Systems

Adobe’s Substance3D Painter, specifically installations running version 11.1.2 or earlier, are affected. All other versions released after 11.1.2 are not listed in the advisory and are presumed to be mitigated.

Risk and Exploitability

The CVSS base score is 5.5, indicating moderate impact if exploited. EPSS indicates a very low likelihood of exploitation (<1%) and the vulnerability is not currently listed in CISA’s KEV catalog. Because it requires user interaction—someone must open a crafted file—its real‑world exploitation probability is low, yet the potential for confidential data leakage warrants proactive mitigation. No official patch is yet available in the advisory, so organizations should keep the product updated when releases are issued.

Generated by OpenCVE AI on April 16, 2026 at 09:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the newest Substance3D Painter release that contains the fix for the out‑of‑bounds read.
  • If an update cannot be applied immediately, restrict the ability of users to open unknown or unsigned files and enforce file validation before opening.
  • Continuously monitor Adobe’s security advisories for patch releases and apply any subsequent fixes or mitigations.

Generated by OpenCVE AI on April 16, 2026 at 09:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_painter:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Painter
Vendors & Products Adobe
Adobe substance 3d Painter

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Substance3D - Painter versions 11.1.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Painter | Out-of-bounds Read (CWE-125)
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Adobe Substance 3d Painter
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-10T19:12:06.802Z

Reserved: 2025-12-12T22:01:18.207Z

Link: CVE-2026-21365

cve-icon Vulnrichment

Updated: 2026-03-10T19:04:53.921Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T19:17:13.297

Modified: 2026-03-11T20:19:33.383

Link: CVE-2026-21365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses