Description
Substance3D - Painter versions 12.0.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-05-12
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Substance3D Painter versions earlier than 12.0.2 contain an out‑of‑bounds write (CWE‑787) that can be used to overwrite memory and execute arbitrary code when a user opens a crafted file. The flaw does not allow remote exploitation; the attacker must supply a malicious file and the victim must interact with it, typically by double‑clicking or opening the file within the application.

Affected Systems

Adobe Substance3D Painter 12.0.2 and earlier are affected.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity vulnerability, but the EPSS score is not available and the flaw is not listed in the CISA KEV catalog. Exploitation requires user interaction through a malicious file, meaning the attack is local and depends on the user opening the infected document. While the risk is significant for users who regularly open external files, the lack of a remote exploit vector reduces the overall threat compared to remote code execution scenarios.

Generated by OpenCVE AI on May 12, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Adobe Substance3D Painter release that resolves the out‑of‑bounds write flaw
  • If an upgrade cannot be performed immediately, run Painter in a sandboxed or isolated environment to contain any potential compromise
  • Ensure that files are scanned with up‑to‑date antivirus or other security software before opening them in the application

Generated by OpenCVE AI on May 12, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Painter
CPEs cpe:2.3:a:adobe:substance_3d_painter:*:*:*:*:*:*:*:*
Vendors & Products Adobe
Adobe substance 3d Painter

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description Substance3D - Painter versions 12.0.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Painter | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Painter
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-13T09:59:41.288Z

Reserved: 2026-03-30T17:30:36.495Z

Link: CVE-2026-34675

cve-icon Vulnrichment

Updated: 2026-05-13T09:57:31.374Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:11.387

Modified: 2026-05-12T19:51:46.540

Link: CVE-2026-34675

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:30:26Z

Weaknesses