Adobe Substance 3D Painter, Out-of-bounds Read, CVE-2026-21365 (Medium)

Listen to this Post

CVE-2026-21365 is an out-of-bounds read vulnerability affecting Adobe Substance 3D Painter versions 11.1.2 and earlier . This memory exposure issue occurs when the application fails to properly validate memory boundaries while processing crafted files . An attacker can exploit this by convincing a user to open a specially crafted malicious file, triggering the read operation to access memory outside the intended buffer . This flaw falls under CWE-125, which describes out-of-bounds reads . The vulnerability allows the attacker to access sensitive information stored in memory, potentially leading to data exposure . The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) indicates local access is required, complexity is low, no privileges are needed, but user interaction is mandatory . The scope is unchanged, with high impact on confidentiality but no impact on integrity or availability .
Platform: Adobe Substance 3D Painter
Version: 11.1.2 and earlier
Vulnerability: Out-of-bounds Read
Severity: Medium (5.5)
Date: March 10, 2026

Prediction: March 10, 2026

What Undercode Say:

Analytics

CVE-2026-21365 was published on March 10, 2026, as part of Adobe’s March Patch Tuesday release . It is one of nine Important-rated vulnerabilities fixed in Substance 3D Painter during this update cycle . The vulnerability was assigned by Adobe Systems Incorporated and is not listed as publicly known or under active attack at the time of release . NVD enrichment efforts added CVSS metrics with a base score of 5.5 . The vulnerability requires user interaction, meaning a victim must open a malicious file for exploitation to occur .

Bash Commands and Codes

Check installed version of Adobe Substance 3D Painter on Windows (Registry query)
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s | findstr "Substance 3D Painter"
Check installed version on macOS
ls /Applications/Adobe\ Substance\ 3D\ Painter.app/Contents/Info.plist | xargs defaults read | grep CFBundleShortVersionString
Verify patch installation (Post-update version check)
Patched version should be higher than 11.1.2
if [[ $(defaults read /Applications/Adobe\ Substance\ 3D\ Painter.app/Contents/Info.plist CFBundleShortVersionString) > "11.1.2" ]]; then echo "Patched"; else echo "Vulnerable"; fi
Monitor for suspicious file openings in real-time (Linux/macOS)
sudo opensnoop -n "Adobe Substance 3D Painter" 2>/dev/null | grep -i ".(jpg|png|tiff|psd|spp)"
Windows PowerShell command to find Substance 3D Painter processes and loaded modules
Get-Process -Name "Painter" | ForEach-Object { $<em>.Modules } | Where-Object { $</em>.FileName -like "memory.dll" }
Check for Adobe security updates via command line (macOS)
softwareupdate --list | grep -i "adobe"
Simulate out-of-bounds read detection using AddressSanitizer (Development/Testing)
clang -fsanitize=address -g -o test_reader test_reader.c && ./test_reader malicious_file.spp

Exploit

The exploit for CVE-2026-21365 involves crafting a malicious Substance 3D Painter project file that triggers an out-of-bounds read condition . The attacker must socially engineer the victim into opening the file via email, download, or other means . When the application parses the malformed file, it reads beyond the bounds of an allocated buffer, exposing adjacent memory contents . This could leak sensitive data such as encryption keys, credentials, or other application secrets residing in memory . No public exploit code has been released, and Adobe reports no active exploitation at the time of patch release .

Protection from this CVE

  • Update to Adobe Substance 3D Painter version 11.2.0 or later
  • Apply the Adobe Security Bulletin APSB26-25 patch immediately
  • Do not open untrusted .spp files from unknown sources
  • Enable Windows Defender Exploit Guard or similar memory protection features
  • Use application sandboxing to limit memory access if exploitation occurs
  • Implement Group Policy to restrict software execution for non-admin users
  • Monitor endpoint detection systems for anomalous memory access patterns
  • Disable preview panes or automatic parsing of 3D files in email clients

Impact

Successful exploitation leads to information disclosure of sensitive memory contents . The confidentiality impact is high, as attackers can potentially extract credentials, encryption keys, or proprietary data from the application’s memory space . The vulnerability does not directly allow code execution or privilege escalation . However, leaked memory could be combined with other exploits to bypass ASLR or other mitigations . Affected systems include Windows and macOS platforms running vulnerable versions . The attack vector is local, requiring user interaction, which reduces the overall risk score to Medium (5.5) .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top