Listen to this Post
Substance 3D – Painter versions 11.1.2 and earlier are affected by a NULL Pointer Dereference vulnerability (CWE-476) that could lead to application denial-of-service . This vulnerability occurs when the application attempts to dereference a memory pointer that has not been properly initialized or has been set to NULL . When a victim opens a specially crafted malicious file, the application fails to validate specific data structures during the parsing process, leading to a pointer that points to memory address zero . The operating system prevents applications from accessing memory at address zero, causing an access violation exception that terminates the Substance 3D Painter process . An attacker can exploit this vulnerability to repeatedly crash the application, disrupting creative workflows and causing productivity loss . The vulnerability requires user interaction, as the victim must be tricked into opening the malicious file via phishing or social engineering . The issue affects all supported platforms including Windows and macOS . Adobe rates this vulnerability as Important with a CVSS v3.1 base score of 5.5 (Medium) .
Platform: Substance 3D Painter
Version: 11.1.2 and earlier
Vulnerability: NULL Pointer Dereference
Severity: Medium (CVSS 5.5)
Date: March 10, 2026
Prediction: Patch already released (March 10, 2026)
What Undercode Say:
Analysis
The vulnerability exists due to improper validation of file structures during parsing operations. When the application processes a malicious .spp or .psd file, it fails to check whether a pointer has been properly initialized before using it . This leads to an attempt to read or write memory at address 0x00000000, triggering an immediate access violation and process termination. The issue is classified under CWE-476 (NULL Pointer Dereference) . Adobe addressed this vulnerability in the March 2026 security update (APSB26-25), releasing version 11.1.3 which implements proper pointer validation before dereferencing . The vulnerability is not known to be publicly exploited or under active attack at the time of release .
Bash Commands and Code
Check installed version on Windows (via PowerShell)
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" | Where-Object {$<em>.DisplayName -like "Substance 3D Painter"} | Select-Object DisplayName, DisplayVersion
Check installed version on macOS
ls /Applications/Adobe\ Substance\ 3D\ Painter.app/Contents/Info.plist | xargs defaults read | grep -A 1 CFBundleShortVersionString
Download available updates via Adobe Creative Cloud CLI
/usr/local/bin/Adobe\ Creative\ Cloud/ACC/Creative\ Cloud.app/Contents/MacOS/Creative\ Cloud --update=Substance3DPainter
Monitor application crashes (Windows Event Viewer)
Get-EventLog -LogName Application -EntryType Error -Newest 50 | Where-Object {$</em>.Message -like "Painter"}
Simple crash detection script (bash)
!/bin/bash
if dmesg | grep -i "painter.segfault"; then
echo "Warning: Substance 3D Painter crash detected - possible CVE-2026-21364 exploitation attempt"
fi
Check file integrity before opening (hash comparison)
sha256sum suspicious_file.spp | awk '{print $1}' | grep -f known_malicious_hashes.txt
How Exploit Works
- Attack Vector: Local file opening with user interaction required
- Prerequisites: Attacker crafts malicious .spp or supporting asset file
- Delivery: Malicious file distributed via email, downloads, or removable media
- Trigger: Victim opens file in Substance 3D Painter versions ≤ 11.1.2
- Mechanism: Application reads file and accesses uninitialized pointer
- Crash: NULL dereference causes access violation and process termination
- Result: Denial of service – application becomes unavailable
Protection from this CVE
- Update immediately: Upgrade to Substance 3D Painter 11.1.3 or later
- Creative Cloud updates: Enable automatic updates in Adobe Creative Cloud desktop app
- File handling: Do not open Substance 3D files from untrusted sources
- Email filtering: Block .spp, .psd, and related asset file extensions in email gateways
- User training: Educate users about phishing with malicious project files
- AppLocker/Restricted Software: Restrict execution to approved versions only
7. Backup configuration: Save workspace layouts before updating
Impact
- Availability: Complete application denial-of-service (High impact)
- Confidentiality: No impact – no data exfiltration possible
- Integrity: No impact – files cannot be modified via this vulnerability
- Attack Complexity: Low – no special conditions required beyond file opening
- Scope: Unchanged – impact limited to vulnerable application instance
- User Interaction: Required – victim must open malicious file
- Business Impact: Productivity loss, project delays, potential reputation damage for creative agencies relying on 3D workflows
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

