CVE-2026-21345 – CVE-2026-21345 is an out-of-bounds read vulnera... (How to Fix)

Q: What is the severity of CVE-2026-21345?

CVE-2026-21345 has a CVSS score of 7.8 (HIGH). CVE-2026-21345 is an out-of-bounds read vulnerability in Substance3D Stager that could allow arbitrary code execution when a user opens a malicious file. This affects users of Substance3D Stager versions 3.1.6 and earlier. Successful exploitation requires user interaction through opening a crafted file.

📋 TL;DR

CVE-2026-21345 is an out-of-bounds read vulnerability in Substance3D Stager that could allow arbitrary code execution when a user opens a malicious file. This affects users of Substance3D Stager versions 3.1.6 and earlier. Successful exploitation requires user interaction through opening a crafted file.

💻 Affected Systems

Products:

Adobe Substance3D Stager

Versions: 3.1.6 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable when processing files through the application.

📦 What is this software?

Substance 3d Stager by Adobe

View all CVEs affecting Substance 3d Stager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through remote code execution in the context of the current user, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or application crash leading to denial of service, with potential for limited code execution depending on exploit sophistication.

🟢

If Mitigated

Application crash without code execution if memory protections are enabled, resulting in denial of service only.

🌐 Internet-Facing: LOW - Exploitation requires user interaction with malicious files, not directly network exploitable.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files, but still requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) and bypassing memory protections like ASLR/DEP.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.7 or later

Vendor Advisory: https://helpx.adobe.com/security/products/substance3d_stager/apsb26-20.html

Restart Required: Yes

Instructions:

1. Open Substance3D Stager. 2. Navigate to Help > Check for Updates. 3. Install available updates. 4. Restart the application.

🔧 Temporary Workarounds

Restrict file processing

all

Configure application to only open trusted files from known sources

User awareness training

all

Train users to avoid opening untrusted Substance3D files from unknown sources

🧯 If You Can't Patch

Implement application control to block execution of vulnerable versions
Use email/web filtering to block suspicious Substance3D file attachments

🔍 How to Verify

Check if Vulnerable:

Check Substance3D Stager version in application settings or About dialog

Check Version:

On Windows: Check Help > About in application. On macOS: Substance3D Stager > About Substance3D Stager

Verify Fix Applied:

Verify version is 3.1.7 or later after update

📡 Detection & Monitoring

Log Indicators:

Application crash logs with memory access violations
Unexpected file processing from untrusted sources

Network Indicators:

Downloads of Substance3D files from suspicious sources

SIEM Query:

EventID=1000 OR EventID=1001 AND ProcessName="Substance3D Stager.exe" AND ExceptionCode=0xC0000005

📊 Metadata

CVE ID: CVE-2026-21345

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-125

EPSS Score: 0.03% exploit probability (6.2th percentile)

Published: February 10, 2026

Last Updated: February 11, 2026

🔗 References

https://helpx.adobe.com/security/products/substance3d_stager/apsb26-20.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21345, you might also want to check these: