Description
Substance3D - Painter versions 11.1.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-03-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: application denial‑of‑service
Action: Check for fix
AI Analysis

Impact

A NULL pointer dereference exists in Substance3D Painter versions 11.1.2 and earlier that can crash the application when a malicious file is processed. The failure results in denial of service for the user, preventing the software from functioning normally. The weakness is a classic null dereference scenario as identified by CWE‑476.

Affected Systems

Adobe’s Substance3D Painter distribution, specifically all releases up to and including version 11.1.2. No other vendor products are listed as affected in the CNA report.

Risk and Exploitability

The CVSS base score of 5.5 indicates moderate severity, and the EPSS score of less than 1% points to a very low current exploitation probability. The vulnerability is not marked in CISA’s KEV catalog. Exploitation requires user interaction—a victim must open a crafted file. Consequently, the practical risk to a system is moderate and contingent upon the likelihood of a user encountering or accepting a malicious file.

Generated by OpenCVE AI on April 16, 2026 at 09:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Substance3D Painter to the latest version that fixes the NULL pointer dereference
  • Avoid opening files from untrusted or unknown sources until verification is performed
  • Configure the application or operating system to block or quarantine suspicious file types before they are processed

Generated by OpenCVE AI on April 16, 2026 at 09:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_painter:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Painter
Vendors & Products Adobe
Adobe substance 3d Painter

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Substance3D - Painter versions 11.1.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Painter | NULL Pointer Dereference (CWE-476)
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe Substance 3d Painter
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-10T19:12:06.541Z

Reserved: 2026-02-18T22:02:41.379Z

Link: CVE-2026-27214

cve-icon Vulnrichment

Updated: 2026-03-10T19:04:49.893Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T19:17:17.700

Modified: 2026-03-11T20:22:09.363

Link: CVE-2026-27214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses