CVE-2026-21337 – CVE-2026-21337 is an out-of-bounds read vulnera... (How to Fix)

Q: What is the severity of CVE-2026-21337?

CVE-2026-21337 has a CVSS score of 5.5 (MEDIUM). CVE-2026-21337 is an out-of-bounds read vulnerability in Substance3D Designer that could allow memory exposure when processing malicious files. Attackers could potentially access sensitive information from memory, but exploitation requires user interaction. Users of Substance3D Designer versions 15.1.0 and earlier are affected.

📋 TL;DR

CVE-2026-21337 is an out-of-bounds read vulnerability in Substance3D Designer that could allow memory exposure when processing malicious files. Attackers could potentially access sensitive information from memory, but exploitation requires user interaction. Users of Substance3D Designer versions 15.1.0 and earlier are affected.

💻 Affected Systems

Products:

Adobe Substance3D Designer

Versions: 15.1.0 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable by default when processing files.

📦 What is this software?

Substance 3d Designer by Adobe

View all CVEs affecting Substance 3d Designer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could extract sensitive information from memory including credentials, encryption keys, or other application data, potentially leading to further system compromise.

🟠

Likely Case

Limited information disclosure from application memory, possibly exposing some application data but unlikely to lead to full system compromise without additional vulnerabilities.

🟢

If Mitigated

With proper controls, the impact is minimal as exploitation requires user interaction and the vulnerability only allows reading memory, not writing or code execution.

🌐 Internet-Facing: LOW - Exploitation requires user interaction with malicious files, making remote exploitation unlikely without social engineering.

🏢 Internal Only: MEDIUM - Internal users could be targeted with malicious files via email or network shares, but still requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) and understanding of memory layout. No public exploits known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.1.1 or later

Vendor Advisory: https://helpx.adobe.com/security/products/substance3d_designer/apsb26-19.html

Restart Required: Yes

Instructions:

1. Open Substance3D Designer. 2. Go to Help > Check for Updates. 3. Follow prompts to install version 15.1.1 or later. 4. Restart the application.

🔧 Temporary Workarounds

Restrict file processing

all

Only open trusted Substance3D Designer files from verified sources

Application sandboxing

all

Run Substance3D Designer in a sandboxed environment to limit potential damage

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of unauthorized files
Educate users about the risks of opening untrusted Substance3D Designer files

🔍 How to Verify

Check if Vulnerable:

Check Substance3D Designer version in Help > About. If version is 15.1.0 or earlier, system is vulnerable.

Check Version:

In Substance3D Designer: Help > About

Verify Fix Applied:

Verify version is 15.1.1 or later in Help > About after applying update.

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing files
Unusual memory access patterns in application logs

Network Indicators:

Unusual file downloads by users who have Substance3D Designer installed

SIEM Query:

source="application_logs" AND process="Substance3D Designer" AND (event="crash" OR event="exception")

📊 Metadata

CVE ID: CVE-2026-21337

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-125

EPSS Score: 0.02% exploit probability (5th percentile)

Published: February 10, 2026

Last Updated: February 11, 2026

🔗 References

https://helpx.adobe.com/security/products/substance3d_designer/apsb26-19.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21337, you might also want to check these: