Description
Substance3D - Painter versions 11.1.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-03-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via memory reading
Action: Patch
AI Analysis

Impact

Substance3D Painter versions 11.1.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure. The flaw allows an attacker to access sensitive information stored in memory when a victim opens a malicious file. Exploitation requires user interaction; no remote exploitation is possible.

Affected Systems

Adobe’s Substance3D Painter version 11.1.2 and all earlier releases are vulnerable. Any installation that can open or parse user-supplied files is at risk.

Risk and Exploitability

The vulnerability has a CVSS base score of 5.5, indicating moderate severity. The EPSS score is less than 1 %, suggesting a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the victim to open a malicious file, so the primary risk is mitigated by user awareness and file-handling controls rather than purely technical defenses.

Generated by OpenCVE AI on April 17, 2026 at 11:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Adobe’s update for Substance3D Painter to the latest available version following the security advisory at helpx.adobe.com.
  • Restrict automatic execution of unknown or unsigned files, and use a sandboxed environment for reviewing untrusted content.
  • Educate users about the risks of opening files from untrusted sources and enforce a policy of verifying file signatures before opening.

Generated by OpenCVE AI on April 17, 2026 at 11:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_painter:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Painter
Vendors & Products Adobe
Adobe substance 3d Painter

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Substance3D - Painter versions 11.1.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Painter | Out-of-bounds Read (CWE-125)
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Adobe Substance 3d Painter
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-10T19:12:07.065Z

Reserved: 2026-02-18T22:02:41.379Z

Link: CVE-2026-27216

cve-icon Vulnrichment

Updated: 2026-03-10T19:04:57.997Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T19:17:18.177

Modified: 2026-03-11T20:21:09.437

Link: CVE-2026-27216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses