Description
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-05-12
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Substance3D Designer versions 15.1.0 and earlier contain an out‑of‑bounds write vulnerability (CWE‑787) that can allow an attacker to execute arbitrary code in the context of the current user. The flaw is triggered when a user opens a specially crafted file; no additional privileges or authentication beyond the user account are required. This means that if a user launches a malicious file, the attacker could gain full control of the system, compromising confidentiality, integrity, and availability.

Affected Systems

Adobe Substance3D Designer is affected. All releases up to and including version 15.1.0 are vulnerable. No other Adobe products are listed as impacted by this specific issue.

Risk and Exploitability

The CVSS score of 7.8 signifies high severity, and while an EPSS score is not available, the vulnerability requires user interaction and is therefore likely to be exploited through social engineering or malicious content distribution. The issue is not listed in CISA’s KEV catalog, indicating no known publicly documented exploitation at this time. Attackers would need to convince a user to open a crafted Designer file, after which arbitrary code execution would occur.

Generated by OpenCVE AI on May 12, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe update or upgrade Substance3D Designer to a version not affected by this vulnerability.
  • Prevent the automatic opening of unknown files by configuring Designer to require explicit user confirmation for all file opens.
  • Implement application hardening controls, such as Windows Defender Application Control or equivalent, to restrict Designer from executing code that is not signed by Adobe.

Generated by OpenCVE AI on May 12, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_designer:*:*:*:*:*:*:*:*

Wed, 13 May 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Designer
Vendors & Products Adobe
Adobe substance 3d Designer

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Designer | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Designer
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-13T09:58:10.254Z

Reserved: 2026-03-30T17:30:36.496Z

Link: CVE-2026-34681

cve-icon Vulnrichment

Updated: 2026-05-13T09:57:00.459Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T19:16:31.313

Modified: 2026-05-13T19:40:12.757

Link: CVE-2026-34681

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T09:45:09Z

Weaknesses