CVE-2026-21308 – Substance3D Designer versions 15.0.3 and earlie... (How to Fix)

Q: What is the severity of CVE-2026-21308?

CVE-2026-21308 has a CVSS score of 5.5 (MEDIUM). Substance3D Designer versions 15.0.3 and earlier contain an out-of-bounds read vulnerability that could allow memory disclosure. Attackers could exploit this by tricking users into opening malicious files, potentially exposing sensitive information from memory. Users of affected Substance3D Designer versions are at risk.

📋 TL;DR

Substance3D Designer versions 15.0.3 and earlier contain an out-of-bounds read vulnerability that could allow memory disclosure. Attackers could exploit this by tricking users into opening malicious files, potentially exposing sensitive information from memory. Users of affected Substance3D Designer versions are at risk.

💻 Affected Systems

Products:

Adobe Substance3D Designer

Versions: 15.0.3 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable by default. User interaction (opening malicious file) is required for exploitation.

📦 What is this software?

Substance 3d Designer by Adobe

View all CVEs affecting Substance 3d Designer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker successfully exploits the vulnerability to read sensitive data from memory, potentially exposing credentials, encryption keys, or other confidential information.

🟠

Likely Case

Limited information disclosure from memory, potentially exposing application data or system information but not necessarily critical secrets.

🟢

If Mitigated

No impact if users don't open untrusted files or if the application is patched.

🌐 Internet-Facing: LOW with brief explanation

🏢 Internal Only: MEDIUM with brief explanation

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file). No public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.0.4 or later

Vendor Advisory: https://helpx.adobe.com/security/products/substance3d_designer/apsb26-13.html

Restart Required: Yes

Instructions:

1. Open Substance3D Designer. 2. Go to Help > Check for Updates. 3. Follow prompts to install version 15.0.4 or later. 4. Restart the application.

🔧 Temporary Workarounds

Restrict file opening

all

Only open trusted Substance3D Designer files from verified sources

Application sandboxing

all

Run Substance3D Designer in a sandboxed environment to limit potential impact

🧯 If You Can't Patch

Implement strict file handling policies to prevent opening untrusted Substance3D Designer files
Monitor for suspicious file access attempts and memory-related crashes in the application

🔍 How to Verify

Check if Vulnerable:

Check Substance3D Designer version in Help > About. If version is 15.0.3 or earlier, the system is vulnerable.

Check Version:

In Substance3D Designer: Help > About

Verify Fix Applied:

Verify version is 15.0.4 or later in Help > About after applying update.

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory access violations
Unexpected file opening events from untrusted sources

Network Indicators:

Downloads of Substance3D Designer files from untrusted sources

SIEM Query:

EventID=1000 AND ProcessName="Substance3D Designer.exe" AND ExceptionCode=0xc0000005

📊 Metadata

CVE ID: CVE-2026-21308

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-125

EPSS Score: 0.03% exploit probability (6.3th percentile)

Published: January 13, 2026

Last Updated: January 14, 2026

🔗 References

https://helpx.adobe.com/security/products/substance3d_designer/apsb26-13.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21308, you might also want to check these: