Description
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-05-12
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds write in Substance3D‑Designer can be leveraged to execute arbitrary code in the context of the current user. The flaw is a classic out‑of‑bounds write (CWE‑787) and arises when processing a malicious file. Consequently, an attacker who succeeds in getting a user to open such a file would gain code execution privileges with the same privileges as that user.

Affected Systems

Adobe Substance3D Designer versions 15.1.0 and earlier are affected. The vulnerability is confined to these legacy releases; newer versions are not susceptible.

Risk and Exploitability

The CVSS score of 7.8 denotes a high severity. The EPSS score is not available, and the flaw is not listed in CISA's KEV catalog. Exploitation requires user interaction – a victim must open a malicious file. Therefore, the risk is high for users who handle untrusted files, but the attack vector is local and requires no network access.

Generated by OpenCVE AI on May 12, 2026 at 20:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Adobe Substance3D Designer to the latest patched release (e.g., 15.1.1 or later).
  • If a patch cannot be applied immediately, restrict the ability to open untrusted files by disabling automatic opening and enforcing file‑type restrictions.
  • Scan or sandbox suspect files before opening them to detect malicious content.

Generated by OpenCVE AI on May 12, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_designer:*:*:*:*:*:*:*:*

Wed, 13 May 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Designer
Vendors & Products Adobe
Adobe substance 3d Designer

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Designer | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Designer
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-13T09:57:54.206Z

Reserved: 2026-03-30T17:30:36.496Z

Link: CVE-2026-34682

cve-icon Vulnrichment

Updated: 2026-05-13T09:56:56.183Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T19:16:31.447

Modified: 2026-05-13T19:40:17.447

Link: CVE-2026-34682

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T09:45:09Z

Weaknesses