Description
Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-03-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Substance3D – Stager versions 3.1.7 and earlier suffer from a use‑after‑free flaw that allows an attacker to execute arbitrary code in the context of the user who opens a crafted file. The vulnerability is rated CVSS 7.8, indicating a high‑severity security impact. Exploitation requires user interaction: a victim must open the malicious file, after which the attacker can inject code that runs with the victim’s privileges.

Affected Systems

Adobe’s Substance3D – Stager, specifically versions 3.1.7 and older, are affected. The flaw is applicable on both macOS and Windows platforms, as the product runs on these operating systems.

Risk and Exploitability

The CVSS score of 7.8 conveys a significant risk, while the EPSS score of less than 1% suggests that, at present, the probability of exploitation is low but not zero. The lack of a listing in the CISA KEV catalog indicates no confirmed exploitation in the wild, yet the attack path is straightforward: craft a malicious file, convince a user to open it, then trigger the use‑after‑free and achieve code execution. Because the exploit runs with the current user’s privileges, it can potentially expand to other user accounts or system resources if higher‑privileged processes interact with the compromised materials.

Generated by OpenCVE AI on April 16, 2026 at 03:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Substance3D – Stager to version 3.1.8 or later to apply Adobe’s patch.
  • Avoid opening files from untrusted or unknown sources in Substance3D – Stager.
  • Implement file‑type filtering or sandboxing for Substance3D files to restrict execution of potentially malicious content.

Generated by OpenCVE AI on April 16, 2026 at 03:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Microsoft
Microsoft windows

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Stager
Vendors & Products Adobe
Adobe substance 3d Stager

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Stager | Use After Free (CWE-416)
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Stager
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T03:57:04.287Z

Reserved: 2026-02-18T22:02:41.389Z

Link: CVE-2026-27276

cve-icon Vulnrichment

Updated: 2026-03-10T19:10:35.760Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T19:17:19.740

Modified: 2026-03-11T18:22:20.397

Link: CVE-2026-27276

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:45:16Z

Weaknesses