Description
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-05-12
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds write in Adobe Substance3D Designer that permits the execution of arbitrary code within the user’s context. It exists in versions 15.1.0 and earlier and requires a malicious file to be opened before the software writes beyond its intended memory boundary, potentially overwriting critical data or instructions. The flaw provides an attacker with the ability to run code with the privileges of the user who opens the file.

Affected Systems

Adobe Substance3D Designer versions 15.1.0 and all earlier releases are affected. Any installation of these versions on supported operating systems that processes user supplied files is vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate overall severity. Exploitation requires user interaction—specifically opening a crafted file—so the attack vector is limited to environments where users can receive malware. The EPSS score is not available and the vulnerability is not listed in the CISA KEV, suggesting no documented exploitation in the wild. Nevertheless, the possibility of arbitrary code execution warrants prompt remediation.

Generated by OpenCVE AI on May 12, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Adobe patch for Substance3D Designer as released in the APSB26‑52 advisory.
  • Block or carefully verify files from untrusted sources before opening them in the application.
  • Run Substance3D Designer with least privilege and consider sandboxing the application to limit the impact of any successful exploitation.

Generated by OpenCVE AI on May 12, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Designer | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-13T03:58:34.740Z

Reserved: 2026-03-30T17:30:36.496Z

Link: CVE-2026-34684

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T19:16:31.807

Modified: 2026-05-12T19:16:31.807

Link: CVE-2026-34684

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T20:45:23Z

Weaknesses