CVE-2026-27279 - Vulnerability Details

- Substance3D - Stager | Out-of-bounds Write (CWE-787)

Description

Substance3D - Stager versions 3.1.7 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published: 2026-03-10

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability is an out‑of‑bounds write that allows a malicious input file to corrupt memory when Substance3D Stager processes it, leading to arbitrary code execution with the privileges of the user launching the application. The weakness is classified as CWE‑787, indicating improper memory bounds handling. If successfully exploited, an attacker can run arbitrary code, compromising confidentiality, integrity, and availability of the system.

Affected Systems

Adobe Substance3D Stager versions 3.1.7 and earlier on macOS and Microsoft Windows are affected, as indicated by the supplied CPE information. Any host running those releases should be evaluated for exposure.

Risk and Exploitability

The CVSS base score is 7.8, representing a high‑severity flaw. The EPSS score is less than 1 %, indicating a low likelihood of exploitation under current conditions, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires user interaction: a victim must open a specially crafted file. The likely attack vector is a social‑engineering or file‑sharing scenario, with the attacker delivering a malicious file that the user attempts to open with Substance3D Stager. Given these conditions, the risk remains significant for organizations that permit unknown files to be processed with the application.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Adobe

Substance3D - Stager

affected

Version	Status	Constraints
`0`	affected	≤ 3.1.7

Configuration 1 [-]

AND

cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Adobe

Substance 3d Stager

94%

Version	Status	Scheme	Platform
`[0,3.1.7]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Adobe Substance3D Stager update.
Restrict file‑opening permissions so that users can only open files from trusted sources, and disable automatic execution of unknown files within the application.
Implement network and email filtering policies to block the delivery of malicious Substance3D Stager files, and enforce the principle of least privilege by running the application under a non‑administrator account whenever possible.

Generated by OpenCVE AI on April 16, 2026 at 09:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://helpx.adobe.com/security/products/substance3d_stager/apsb26-29.html

History

Wed, 11 Mar 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Microsoft Microsoft windows
CPEs		cpe:2.3:a:adobe:substance_3d_stager:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Microsoft Microsoft windows

Wed, 11 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe Adobe substance 3d Stager
Vendors & Products		Adobe Adobe substance 3d Stager

Tue, 10 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Substance3D - Stager versions 3.1.7 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title		Substance3D - Stager \| Out-of-bounds Write (CWE-787)
Weaknesses		CWE-787
References		https://helpx.adobe.com/security/products/substance3d_stager/apsb26-29.html
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Adobe Substance 3d Stager

Apple Macos

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2026-03-10T18:38:56.664Z

Updated: 2026-03-11T03:57:02.088Z

Reserved: 2026-02-18T22:02:41.389Z

Link: CVE-2026-27279

Vulnrichment

Updated: 2026-03-10T19:10:38.020Z

NVD

Status : Analyzed

Published: 2026-03-10T19:17:20.080

Modified: 2026-03-11T18:22:27.810

Link: CVE-2026-27279

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses

CWE-787

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object