Description
Substance3D - Sampler versions 6.0.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-06-09
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out-of-bounds write in Adobe Substance3D – Sampler that can be triggered by opening a malicious sampler file. When processed, the software fails to ensure that data written to memory stays within the bounds of an allocated buffer, allowing an attacker to overwrite adjacent memory and execute arbitrary code with the privileges of the current user. The flaw is a classic input validation issue (CWE‑787).

Affected Systems

Adobe Substance3D – Sampler versions 6.0.0 and earlier contain the flaw. Systems running these versions are vulnerable; any installation that allows opening sampler files likely resides at risk. Newer releases, released after the advisory, are considered fixed.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the EPSS score is not available and the vulnerability is not listed in CISA's KEV catalog, suggesting no large‑scale, automated exploitation yet. Exploitation requires user interaction: a victim must open a crafted sampler file, typically delivered via email, download, or other means. If this condition is met, the attacker can gain code execution in the context of the user, making the risk significant for end‑users and environments that automatically open such files.

Generated by OpenCVE AI on June 9, 2026 at 21:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Substance3D – Sampler to the latest version (6.0.1 or later) as recommended in the vendor’s security advisory.
  • If an upgrade is not immediately possible, disable automatic opening of sampler files and configure the system to prompt the user for confirmation before opening any sampler file, limiting the window for malicious content to be processed.
  • Implement or enforce stricter input validation for any custom components that read sampler files: verify file size, structure, and bounds before processing, rejecting malformed or oversized data that could trigger the out‑of‑bounds write.

Generated by OpenCVE AI on June 9, 2026 at 21:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe substance 3d Sampler
Vendors & Products Adobe
Adobe substance 3d Sampler

Wed, 10 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Substance3D - Sampler versions 6.0.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Substance3D - Sampler | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Substance 3d Sampler
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-10T10:07:43.590Z

Reserved: 2026-05-21T15:28:38.136Z

Link: CVE-2026-48306

cve-icon Vulnrichment

Updated: 2026-06-10T10:07:38.488Z

cve-icon NVD

Status : Received

Published: 2026-06-09T20:17:02.233

Modified: 2026-06-09T20:17:02.233

Link: CVE-2026-48306

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:00:14Z

Weaknesses