CVE-2026-27274 - Vulnerability Details

- Substance3D - Stager | Out-of-bounds Write (CWE-787)

Description

Substance3D - Stager versions 3.1.7 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published: 2026-03-10

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Substance3D – Stager versions 3.1.7 and earlier contain an out-of-bounds write flaw that can be triggered by opening a specially crafted file. The vulnerability is a classic memory corruption bug (CWE‑787) and allows an attacker to corrupt data outside the bounds of an allocated buffer, potentially leading to execution of arbitrary code. If successfully exploited, the attacker would have the privileges of the user who opens the file, providing a direct route to compromise the system and any processes that trust the application.

Affected Systems

The affected product is Adobe Substance3D – Stager. Versions 3.1.7 and all earlier releases are vulnerable, regardless of the operating system. The application runs on macOS, Windows, and other platforms as listed in the CPE data. No specific OS versions are limited beyond the presence of Substance3D – Stager itself.

Risk and Exploitability

The vulnerability has a CVSS score of 7.8, indicating high severity. The EPSS score is below 1%, suggesting low current exploitation probability, but zero-day threats can still arise. It is not yet included in the CISA KEV catalog. The most likely attack vector is a user following a malicious link or opening a deceptive file, which requires user interaction. The required privileges are at the level of the victim, making the impact significant if the user has administrative or higher rights.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Adobe

Substance3D - Stager

affected

Version	Status	Constraints
`0`	affected	≤ 3.1.7

Configuration 1 [-]

AND

cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Adobe

Substance 3d Stager

94%

Version	Status	Scheme	Platform
`[0,3.1.7]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Adobe update for Substance3D – Stager to version 3.1.8 or later, as specified in the vendor advisory
Restrict file execution permissions for unsupported or unknown file extensions so that users cannot run arbitrary files in the application
Implement network labeling or application whitelisting to block the application from processing untrusted content until the patch is applied

Generated by OpenCVE AI on April 16, 2026 at 03:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://helpx.adobe.com/security/products/substance3d_stager/apsb26-29.html

History

Wed, 11 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Microsoft Microsoft windows
CPEs		cpe:2.3:a:adobe:substance_3d_stager:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Microsoft Microsoft windows

Wed, 11 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe Adobe substance 3d Stager
Vendors & Products		Adobe Adobe substance 3d Stager

Tue, 10 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Substance3D - Stager versions 3.1.7 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title		Substance3D - Stager \| Out-of-bounds Write (CWE-787)
Weaknesses		CWE-787
References		https://helpx.adobe.com/security/products/substance3d_stager/apsb26-29.html
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Adobe Substance 3d Stager

Apple Macos

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2026-03-10T18:39:00.927Z

Updated: 2026-03-11T03:56:59.768Z

Reserved: 2026-02-18T22:02:41.388Z

Link: CVE-2026-27274

Vulnrichment

Updated: 2026-03-10T19:10:27.072Z

NVD

Status : Analyzed

Published: 2026-03-10T19:17:19.383

Modified: 2026-03-11T20:26:36.670

Link: CVE-2026-27274

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T03:45:16Z

Weaknesses

CWE-787

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object