Login Sign Up

CVE-2023-29282

7.8 HIGH
Remote Code Execution

📋 TL;DR

Adobe Substance 3D Painter versions 8.3.0 and earlier contain an out-of-bounds write vulnerability that could allow attackers to execute arbitrary code on a victim's system. This affects users who open malicious files with the software. Exploitation requires user interaction through opening a specially crafted file.

💻 Affected Systems

Products:
  • Adobe Substance 3D Painter
Versions: 8.3.0 and earlier
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of affected versions are vulnerable by default when processing malicious files.

📦 What is this software?

Substance 3d Painter by Adobe

View all CVEs affecting Substance 3d Painter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation or malware execution in user context, potentially compromising sensitive project files and system resources accessible to the user.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially only affecting isolated application data.

🌐 Internet-Facing: LOW - Exploitation requires local file access and user interaction, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Risk exists within organizations where users might open untrusted files, but requires social engineering or compromised internal resources.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user to open malicious file; no authentication bypass needed but social engineering required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.3.1 or later

Vendor Advisory: https://helpx.adobe.com/security/products/substance3d_painter/apsb23-29.html

Restart Required: Yes

Instructions:

1. Open Adobe Substance 3D Painter. 2. Go to Help > Check for Updates. 3. Follow prompts to install version 8.3.1 or later. 4. Restart the application.

🔧 Temporary Workarounds

Restrict file opening

all

Configure application to only open trusted files from known sources

Run with reduced privileges

all

Run Adobe Substance 3D Painter with limited user permissions to reduce impact

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of malicious payloads
  • Educate users to never open untrusted .spp files or other project formats

🔍 How to Verify

Check if Vulnerable:

Check Adobe Substance 3D Painter version in Help > About

Check Version:

Not applicable - check via application GUI

Verify Fix Applied:

Verify version is 8.3.1 or higher in Help > About

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when opening files
  • Unusual process spawning from Substance 3D Painter

Network Indicators:

  • Unexpected outbound connections after opening project files

SIEM Query:

Process creation where parent_process contains 'painter' AND (process contains 'cmd' OR process contains 'powershell' OR process contains 'bash')

📊 Metadata

CVE ID: CVE-2023-29282
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: May 11, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29282, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)