Description
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-05-12
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds write in Adobe Substance3D Designer that permits the execution of arbitrary code within the user’s context. It exists in versions 15.1.0 and earlier and requires a malicious file to be opened before the software writes beyond its intended memory boundary, potentially overwriting critical data or instructions. The flaw provides an attacker with the ability to run code with the privileges of the user who opens the file.

Affected Systems

Adobe Substance3D Designer versions 15.1.0 and all earlier releases are affected. Any installation of these versions on supported operating systems that processes user supplied files is vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates a high overall severity. Exploitation requires user interaction—specifically opening a crafted file—so the attack vector is limited to environments where users can receive malware. The EPSS score of < 1% and the fact that the vulnerability is not listed in the CISA KEV suggest no documented exploitation in the wild. Nevertheless, the possibility of arbitrary code execution warrants prompt remediation.

Generated by OpenCVE AI on May 13, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Adobe patch for Substance3D Designer as released in the APSB26‑52 advisory.
  • Block or carefully verify files from untrusted sources before opening them in the application.
  • Run Substance3D Designer with least privilege and consider sandboxing the application to limit the impact of any successful exploitation.

Generated by OpenCVE AI on May 13, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 13 May 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:substance_3d_designer:*:*:*:*:*:*:*:*

Wed, 13 May 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Designer
Vendors & Products Adobe
Adobe substance 3d Designer

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Designer | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Adobe Substance 3d Designer
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-13T19:10:52.866Z

Reserved: 2026-03-30T17:30:36.496Z

Link: CVE-2026-34684

cve-icon Vulnrichment

Updated: 2026-05-13T09:57:04.550Z

cve-icon NVD

Status : Modified

Published: 2026-05-12T19:16:31.807

Modified: 2026-05-13T20:16:21.197

Link: CVE-2026-34684

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:00:06Z

Weaknesses