Description
Substance3D - Painter versions 11.1.2 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-03-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The vulnerability is an out-of-bounds read in the file parsing routine of Substance3D Painter, allowing an attacker to read memory contents beyond the intended buffer. This can lead to the disclosure of sensitive data stored in memory. The flaw is classified as CWE‑125. Exploitation requires the victim to open a crafted file, causing the application to perform the unsafe memory read while rendering.

Affected Systems

Adobe Substance3D Painter versions 11.1.2 and all older releases are affected. User installations of these versions on any supported operating system are vulnerable. Upgrading to a newer release that removes the vulnerable code eliminates the risk.

Risk and Exploitability

The CVSS v3 score of 5.5 indicates a medium risk level. The EPSS score of below 1 % suggests an unlikely exploitation probability under current conditions. The vulnerability does not appear in the CISA KEV catalog. Attackers must rely on social engineering to convince a user to open a maliciously crafted file; based on the description, it is inferred that the attack vector is local and file-based, with no remote code execution or privilege escalation. The potential impact is limited to information disclosure rather than code compromise.

Generated by OpenCVE AI on April 16, 2026 at 09:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Adobe Substance3D Painter release that fixes the out‑of‑bounds read issue.
  • Configure the editor to block or prompt before opening unknown or untrusted files.
  • Maintain up-to-date anti‑virus signatures and perform manual scans of any files obtained from untrusted sources before opening them.

Generated by OpenCVE AI on April 16, 2026 at 09:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_painter:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Painter
Vendors & Products Adobe
Adobe substance 3d Painter

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Substance3D - Painter versions 11.1.2 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Painter | Out-of-bounds Read (CWE-125)
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Adobe Substance 3d Painter
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-10T19:12:06.424Z

Reserved: 2026-02-18T22:02:41.380Z

Link: CVE-2026-27219

cve-icon Vulnrichment

Updated: 2026-03-10T19:04:47.865Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T19:17:18.790

Modified: 2026-03-11T20:27:45.260

Link: CVE-2026-27219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses