Adobe Substance 3D Painter, NULL Pointer Dereference, CVE-2026-21364 (Medium)

Listen to this Post

Substance 3D – Painter versions 11.1.2 and earlier are affected by a NULL Pointer Dereference vulnerability (CWE-476) that could lead to application denial-of-service . This vulnerability occurs when the application attempts to dereference a memory pointer that has not been properly initialized or has been set to NULL . When a victim opens a specially crafted malicious file, the application fails to validate specific data structures during the parsing process, leading to a pointer that points to memory address zero . The operating system prevents applications from accessing memory at address zero, causing an access violation exception that terminates the Substance 3D Painter process . An attacker can exploit this vulnerability to repeatedly crash the application, disrupting creative workflows and causing productivity loss . The vulnerability requires user interaction, as the victim must be tricked into opening the malicious file via phishing or social engineering . The issue affects all supported platforms including Windows and macOS . Adobe rates this vulnerability as Important with a CVSS v3.1 base score of 5.5 (Medium) .
Platform: Substance 3D Painter
Version: 11.1.2 and earlier
Vulnerability: NULL Pointer Dereference
Severity: Medium (CVSS 5.5)
Date: March 10, 2026

Prediction: Patch already released (March 10, 2026)

What Undercode Say:

Analysis

The vulnerability exists due to improper validation of file structures during parsing operations. When the application processes a malicious .spp or .psd file, it fails to check whether a pointer has been properly initialized before using it . This leads to an attempt to read or write memory at address 0x00000000, triggering an immediate access violation and process termination. The issue is classified under CWE-476 (NULL Pointer Dereference) . Adobe addressed this vulnerability in the March 2026 security update (APSB26-25), releasing version 11.1.3 which implements proper pointer validation before dereferencing . The vulnerability is not known to be publicly exploited or under active attack at the time of release .

Bash Commands and Code

Check installed version on Windows (via PowerShell)
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" | Where-Object {$<em>.DisplayName -like "Substance 3D Painter"} | Select-Object DisplayName, DisplayVersion
Check installed version on macOS
ls /Applications/Adobe\ Substance\ 3D\ Painter.app/Contents/Info.plist | xargs defaults read | grep -A 1 CFBundleShortVersionString
Download available updates via Adobe Creative Cloud CLI
/usr/local/bin/Adobe\ Creative\ Cloud/ACC/Creative\ Cloud.app/Contents/MacOS/Creative\ Cloud --update=Substance3DPainter
Monitor application crashes (Windows Event Viewer)
Get-EventLog -LogName Application -EntryType Error -Newest 50 | Where-Object {$</em>.Message -like "Painter"}
Simple crash detection script (bash)
!/bin/bash
if dmesg | grep -i "painter.segfault"; then
echo "Warning: Substance 3D Painter crash detected - possible CVE-2026-21364 exploitation attempt"
fi
Check file integrity before opening (hash comparison)
sha256sum suspicious_file.spp | awk '{print $1}' | grep -f known_malicious_hashes.txt

How Exploit Works

  1. Attack Vector: Local file opening with user interaction required
  2. Prerequisites: Attacker crafts malicious .spp or supporting asset file
  3. Delivery: Malicious file distributed via email, downloads, or removable media
  4. Trigger: Victim opens file in Substance 3D Painter versions ≤ 11.1.2
  5. Mechanism: Application reads file and accesses uninitialized pointer
  6. Crash: NULL dereference causes access violation and process termination
  7. Result: Denial of service – application becomes unavailable

Protection from this CVE

  1. Update immediately: Upgrade to Substance 3D Painter 11.1.3 or later
  2. Creative Cloud updates: Enable automatic updates in Adobe Creative Cloud desktop app
  3. File handling: Do not open Substance 3D files from untrusted sources
  4. Email filtering: Block .spp, .psd, and related asset file extensions in email gateways
  5. User training: Educate users about phishing with malicious project files
  6. AppLocker/Restricted Software: Restrict execution to approved versions only

7. Backup configuration: Save workspace layouts before updating

Impact

  • Availability: Complete application denial-of-service (High impact)
  • Confidentiality: No impact – no data exfiltration possible
  • Integrity: No impact – files cannot be modified via this vulnerability
  • Attack Complexity: Low – no special conditions required beyond file opening
  • Scope: Unchanged – impact limited to vulnerable application instance
  • User Interaction: Required – victim must open malicious file
  • Business Impact: Productivity loss, project delays, potential reputation damage for creative agencies relying on 3D workflows

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top