Description
Substance3D - Painter versions 11.1.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-03-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A null pointer dereference flaw exists in Adobe Substance3D Painter. When a specially crafted file is opened, a null pointer is dereferenced during processing, causing the application to crash. This results in denial of service for the application and any services that rely on it. The issue stems from insufficient null checks during file handling (CWE‑476). The likely attack vector is user interaction, where a victim must open a malicious file.

Affected Systems

Adobe Substance3D Painter versions 11.1.2 and earlier are affected. The vulnerability is present in all earlier releases, so any installations using those versions are at risk until upgraded.

Risk and Exploitability

The CVSS v3.1 base score of 5.5 indicates a moderate risk, with exploitation likelihood indicated by an EPSS score of less than 1%. The vulnerability is not in CISA's KEV catalog. Attack requires the victim to open a crafted file, so it is a user‑interaction exploit; the adversary must first deliver the file, but the crash can be triggered by any legitimate user opening it. Due to the low exploitation probability, the overall threat is moderate, but the impact on availability can be significant for users who rely heavily on Substance3D Painter.

Generated by OpenCVE AI on April 16, 2026 at 03:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the latest Adobe Substance3D Painter update that includes the patch for the null pointer dereference.
  • Avoid opening files from untrusted sources and scan attachments with up‑to‑date antivirus before opening.
  • Run the application with the least privileges required and consider sandboxing it to contain crashes.

Generated by OpenCVE AI on April 16, 2026 at 03:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_painter:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Painter
Vendors & Products Adobe
Adobe substance 3d Painter

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Substance3D - Painter versions 11.1.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Painter | NULL Pointer Dereference (CWE-476)
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe Substance 3d Painter
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-10T19:12:06.252Z

Reserved: 2026-02-18T22:02:41.380Z

Link: CVE-2026-27218

cve-icon Vulnrichment

Updated: 2026-03-10T19:04:45.772Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T19:17:18.613

Modified: 2026-03-11T20:28:08.673

Link: CVE-2026-27218

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:45:16Z

Weaknesses