Description
Substance3D - Painter versions 12.0.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-05-12
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds write has been discovered in Substance3D Painter. The flaw (CWE‑787) allows an attacker, by delivering a crafted file, to overwrite memory outside a buffer and potentially execute code with the privileges of the user who opens the file. The vulnerability can cause loss of confidentiality, integrity, and availability because it permits the execution of arbitrary instructions.

Affected Systems

The issue affects Adobe Substance3D Painter versions 12.0.2 and earlier. Any installation outside that version range is considered safe. The vulnerability is specific to the desktop product and does not extend to other Adobe offerings.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity problem. While an EPSS score is not published, the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. Exploitation requires user interaction: the victim must open a malicious file. Consequently, the risk is significant for users who frequent unknown file sources, and the attacker cannot compromise systems remotely without that interaction.

Generated by OpenCVE AI on May 12, 2026 at 19:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Substance3D Painter update (12.0.3 or later).
  • Avoid opening files from untrusted sources until the patch is applied.
  • Restart the system after installing the update to ensure all components reload with the fixed code.

Generated by OpenCVE AI on May 12, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Painter
CPEs cpe:2.3:a:adobe:substance_3d_painter:*:*:*:*:*:*:*:*
Vendors & Products Adobe
Adobe substance 3d Painter

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description Substance3D - Painter versions 12.0.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Painter | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Painter
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-13T09:59:26.297Z

Reserved: 2026-03-30T17:30:36.495Z

Link: CVE-2026-34676

cve-icon Vulnrichment

Updated: 2026-05-13T09:57:27.250Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:11.510

Modified: 2026-05-12T19:51:31.690

Link: CVE-2026-34676

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T01:30:06Z

Weaknesses