Description
Substance3D - Painter versions 11.1.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to its availability. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-03-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Immediately
AI Analysis

Impact

A NULL Pointer Dereference flaw exists in Adobe Substance3D Painter versions 11.1.2 and earlier, causing the application to crash when it processes a specially crafted file. The missing null check leads to a failure that prevents the software from launching correctly, thereby disrupting its availability. The vulnerability is classified as CWE‑476 and results in a denial‑of‑service condition for the user.

Affected Systems

Adobe’s Substance3D Painter 11.1.2 and all earlier releases are affected. No other Adobe products are listed as vulnerable. Any installation of these versions is susceptible until the issue is corrected.

Risk and Exploitability

The vulnerability has a CVSS score of 5.5, indicating medium severity. The EPSS score is below 1 %, suggesting a very low likelihood of widespread exploitation at present. It is not present in the CISA KEV catalog. Exploitation requires user interaction: an attacker must supply a malicious file that the victim opens. The attack vector is therefore local or social‑engineering‑based rather than remote.

Generated by OpenCVE AI on April 16, 2026 at 03:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Substance3D Painter update that removes the null‑pointer flaw.
  • If an update is not yet available, refrain from opening or importing unknown or untrusted files into the application.
  • Run the editor in a sandboxed or isolated environment to limit the impact of any crashes on the host system.

Generated by OpenCVE AI on April 16, 2026 at 03:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_painter:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Painter
Vendors & Products Adobe
Adobe substance 3d Painter

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Substance3D - Painter versions 11.1.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to its availability. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Painter | NULL Pointer Dereference (CWE-476)
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe Substance 3d Painter
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-10T19:12:07.341Z

Reserved: 2026-02-18T22:02:41.379Z

Link: CVE-2026-27215

cve-icon Vulnrichment

Updated: 2026-03-10T19:05:03.679Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T19:17:17.940

Modified: 2026-03-11T20:21:42.657

Link: CVE-2026-27215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:45:16Z

Weaknesses