CVE-2026-21343 – Substance3D Stager versions 3.1.6 and earlier c... (How to Fix)

Q: What is the severity of CVE-2026-21343?

CVE-2026-21343 has a CVSS score of 7.8 (HIGH). Substance3D Stager versions 3.1.6 and earlier contain an out-of-bounds read vulnerability when parsing malicious files. An attacker could exploit this to execute arbitrary code with the privileges of the current user. This affects users who open untrusted files with vulnerable versions of Substance3D Stager.

📋 TL;DR

Substance3D Stager versions 3.1.6 and earlier contain an out-of-bounds read vulnerability when parsing malicious files. An attacker could exploit this to execute arbitrary code with the privileges of the current user. This affects users who open untrusted files with vulnerable versions of Substance3D Stager.

💻 Affected Systems

Products:

Adobe Substance3D Stager

Versions: 3.1.6 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable when parsing files.

📦 What is this software?

Substance 3d Stager by Adobe

View all CVEs affecting Substance 3d Stager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or malware execution when a user opens a crafted malicious file.

🟢

If Mitigated

Limited impact with proper file validation and user awareness preventing malicious file execution.

🌐 Internet-Facing: LOW - Exploitation requires user interaction to open malicious files, not directly network-exploitable.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) and crafting specific file formats.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.7 or later

Vendor Advisory: https://helpx.adobe.com/security/products/substance3d_stager/apsb26-20.html

Restart Required: Yes

Instructions:

1. Open Adobe Creative Cloud application. 2. Navigate to Apps > Updates. 3. Find Substance3D Stager and click Update. 4. Restart the application after update completes.

🔧 Temporary Workarounds

Restrict file types

all

Configure system to only allow trusted file types or use application whitelisting

User awareness training

all

Train users to avoid opening untrusted files from unknown sources

🧯 If You Can't Patch

Implement application control/whitelisting to prevent execution of vulnerable versions
Use network segmentation to isolate systems running vulnerable software

🔍 How to Verify

Check if Vulnerable:

Check Substance3D Stager version in application About menu or via Creative Cloud app

Check Version:

On Windows: Check registry at HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Substance3D Stager\Version or via Creative Cloud app

Verify Fix Applied:

Verify version is 3.1.7 or later in About menu

📡 Detection & Monitoring

Log Indicators:

Application crashes when parsing files
Unusual file access patterns from Substance3D Stager

Network Indicators:

Downloads of suspicious file types followed by application execution

SIEM Query:

source="windows-security" EventID=4688 ProcessName="*Stager*" AND CommandLine="*.sbsar" OR "*.sbs"

📊 Metadata

CVE ID: CVE-2026-21343

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-125

EPSS Score: 0.03% exploit probability (6.2th percentile)

Published: February 10, 2026

Last Updated: February 11, 2026

🔗 References

https://helpx.adobe.com/security/products/substance3d_stager/apsb26-20.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21343, you might also want to check these: