Description
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-05-12
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds write vulnerability exists in Substance3D – Designer versions 15.1.0 and earlier, allowing an attacker to corrupt memory and ultimately execute arbitrary code with the privileges of the user running the application. The flaw resides in how the program processes certain user‑supplied data and can be triggered by a malicious file that the user opens.

Affected Systems

Adobe’s Substance3D – Designer product, affecting all installations at version 15.1.0 and earlier.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, and the EPSS score is 0.00028 (less than 1%), indicating a very low probability of exploitation, while the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the victim to open a malicious file, making user interaction a prerequisite. Attackers can gain code execution only in the context of the current user; however, this still permits installation of malware, data theft, or other malicious actions that benefit the attacker. Consequently, the risk is high but non‑negligible, especially in environments where users frequently handle untrusted files.

Generated by OpenCVE AI on May 13, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Adobe patch or upgrade Substance3D – Designer to a version newer than 15.1.0
  • Restrict or disable opening of susceptible file types (e.g., refuse to open .sbs files from untrusted sources)
  • Educate users on the risks of opening unknown files and enforce strict handling policies

Generated by OpenCVE AI on May 13, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 13 May 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_designer:*:*:*:*:*:*:*:*

Wed, 13 May 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Designer
Vendors & Products Adobe
Adobe substance 3d Designer

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Designer | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Adobe Substance 3d Designer
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-13T19:10:37.825Z

Reserved: 2026-03-30T17:30:36.496Z

Link: CVE-2026-34683

cve-icon Vulnrichment

Updated: 2026-05-13T09:57:09.064Z

cve-icon NVD

Status : Modified

Published: 2026-05-12T19:16:31.603

Modified: 2026-05-13T20:16:21.083

Link: CVE-2026-34683

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:30:06Z

Weaknesses