Description
Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-03-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw that allows an attacker to execute code in the context of the current user. When a malicious file is opened, the program accesses freed memory, which can be manipulated to launch arbitrary instructions. This grants full control of the affected system to an attacker who successfully exploits the flaw.

Affected Systems

Adobe Substance3D – Stager versions 3.1.7 and earlier on Windows and macOS operating systems are impacted. Any installation of the application that has not been upgraded beyond version 3.1.7 is vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires user interaction: the victim must open a specially crafted file that triggers the use‑after‑free code path. Once compromised, the attacker gains full privileges of the user account that launched the application.

Generated by OpenCVE AI on March 30, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Adobe update that removes the use‑after‑free flaw; upgrade Substance3D – Stager to a version newer than 3.1.7.

Generated by OpenCVE AI on March 30, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Microsoft
Microsoft windows

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Stager
Vendors & Products Adobe
Adobe substance 3d Stager

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Stager | Use After Free (CWE-416)
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Stager
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-31T03:55:40.195Z

Reserved: 2026-02-18T22:02:41.402Z

Link: CVE-2026-27309

cve-icon Vulnrichment

Updated: 2026-03-30T14:25:14.202Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T22:16:20.497

Modified: 2026-03-30T17:18:12.520

Link: CVE-2026-27309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:00Z

Weaknesses