Description
Substance3D - Painter versions 11.1.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to its availability. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-03-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Application Denial of Service
Action: Apply Patch
AI Analysis

Impact

The reported vulnerability is a NULL Pointer Dereference in Adobe Substance3D Painter, which can cause the application to crash and result in a denial of service. An attacker can trigger the fault by opening a specially crafted file, leading to a loss of availability for the affected user. The flaw is classified as CWE-476.

Affected Systems

Affected variants include Adobe Substance3D Painter versions 11.1.2 and any earlier releases. These versions are provided by Adobe under the Substance3D product line. No other platforms or products are reported to be impacted according to the current CNA data.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.5, indicating a moderate severity, while the EPSS score is less than 1%, reflecting a low probability of exploitation at this time. The issue is not listed in the CISA KEV catalog. Because exploitation requires the user to open a malicious file, the attack vector is local and necessitates user interaction. The overall risk is moderate availability disruption with limited likelihood of widespread exploitation.

Generated by OpenCVE AI on April 17, 2026 at 11:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Adobe Substance3D Painter to the latest version that includes the fix; consult the Adobe security advisory for version guidance.
  • Until the update is applied, avoid opening unknown or suspicious files in Substance3D Painter, and consider disabling the automatic opening of files.
  • As a temporary defensive measure, run the application within a sandboxed or isolated environment such as a virtual machine or container to contain potential crashes.

Generated by OpenCVE AI on April 17, 2026 at 11:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_painter:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Painter
Vendors & Products Adobe
Adobe substance 3d Painter

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Substance3D - Painter versions 11.1.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to its availability. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Painter | NULL Pointer Dereference (CWE-476)
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe Substance 3d Painter
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-10T19:12:06.935Z

Reserved: 2026-02-18T22:02:41.379Z

Link: CVE-2026-27217

cve-icon Vulnrichment

Updated: 2026-03-10T19:04:55.956Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T19:17:18.400

Modified: 2026-03-11T20:28:26.873

Link: CVE-2026-27217

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses