Description
Substance3D - Stager versions 3.1.7 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-03-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

Substance3D Stager 3.1.7 and earlier contain an out‑of‑bounds write that can be triggered by opening a malicious file. When this buffer overflow is exploited, an attacker can run arbitrary code with the privileges of the user who opens the file, potentially compromising the entire system.

Affected Systems

Adobe Substance3D Stager versions 3.1.7 and earlier are affected. The product runs on macOS and Windows platforms, as indicated by the associated CPE entries, so any user who has an affected version installed on either operating system is at risk.

Risk and Exploitability

The vulnerability has a CVSS v3 score of 7.8, signaling high severity. Exploitation requires user interaction to open a crafted file, so the attack vector is local and likely to be confined to the victim’s machine. EPSS indicates a very low invasion probability (<1%), and the issue is not listed in CISA’s KEV catalog, suggesting no widespread, active exploitation at present. Nevertheless, the ability to execute code as the current user warrants prompt remediation.

Generated by OpenCVE AI on April 16, 2026 at 03:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Adobe update that removes the vulnerability (install Substance3D Stager 3.1.8 or later).
  • Disable automatic opening of unknown or untrusted files in Substance3D Stager to force a user decision before loading content.
  • Ensure general system security hygiene by keeping the operating system and other software up to date and by running reliable anti‑malware solutions that can detect suspicious file formats or execution attempts.

Generated by OpenCVE AI on April 16, 2026 at 03:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Microsoft
Microsoft windows

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Stager
Vendors & Products Adobe
Adobe substance 3d Stager

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Substance3D - Stager versions 3.1.7 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Stager | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Stager
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T03:56:58.709Z

Reserved: 2026-02-18T22:02:41.388Z

Link: CVE-2026-27273

cve-icon Vulnrichment

Updated: 2026-03-10T19:10:31.300Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T19:17:19.217

Modified: 2026-03-11T20:27:05.240

Link: CVE-2026-27273

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:45:16Z

Weaknesses