CVE-2026-21341 – CVE-2026-21341 is an out-of-bounds write vulner... (How to Fix)

Q: What is the severity of CVE-2026-21341?

CVE-2026-21341 has a CVSS score of 7.8 (HIGH). CVE-2026-21341 is an out-of-bounds write vulnerability in Substance3D Stager that could allow arbitrary code execution when a user opens a malicious file. This affects users of Substance3D Stager versions 3.1.6 and earlier, requiring user interaction to trigger the exploit.

📋 TL;DR

CVE-2026-21341 is an out-of-bounds write vulnerability in Substance3D Stager that could allow arbitrary code execution when a user opens a malicious file. This affects users of Substance3D Stager versions 3.1.6 and earlier, requiring user interaction to trigger the exploit.

💻 Affected Systems

Products:

Adobe Substance 3D Stager

Versions: 3.1.6 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable by default when processing malicious files.

📦 What is this software?

Substance 3d Stager by Adobe

View all CVEs affecting Substance 3d Stager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's computer in the context of the current user, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malicious actor executes code on victim's system to steal sensitive files, install malware, or establish persistence for further attacks.

🟢

If Mitigated

Limited impact with proper user training and file validation preventing malicious files from being opened.

🌐 Internet-Facing: LOW - Exploitation requires user interaction with malicious files, not directly exposed network services.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) and knowledge of file format manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.7 or later

Vendor Advisory: https://helpx.adobe.com/security/products/substance3d_stager/apsb26-20.html

Restart Required: Yes

Instructions:

1. Open Substance 3D Stager. 2. Go to Help > Check for Updates. 3. Install available updates. 4. Restart the application.

🔧 Temporary Workarounds

Restrict file opening

all

Configure application to only open trusted files or disable automatic file opening

User training

all

Train users to only open Substance3D files from trusted sources

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of unauthorized code
Use endpoint protection with behavioral analysis to detect exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Substance 3D Stager version in application settings or About dialog

Check Version:

Open Substance 3D Stager and navigate to Help > About Substance 3D Stager

Verify Fix Applied:

Verify version is 3.1.7 or later after applying update

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory access violations
Unexpected child processes spawned from Substance3D Stager

Network Indicators:

Unusual outbound connections from Substance3D Stager process

SIEM Query:

process_name:"Substance 3D Stager.exe" AND (event_type:crash OR child_process_count > 1)

📊 Metadata

CVE ID: CVE-2026-21341

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

EPSS Score: 0.03% exploit probability (6.2th percentile)

Published: February 10, 2026

Last Updated: February 11, 2026

🔗 References

https://helpx.adobe.com/security/products/substance3d_stager/apsb26-20.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21341, you might also want to check these: