CVE-2026-21348 – Substance3D Modeler versions 1.22.5 and earlier... (How to Fix)

Q: What is the severity of CVE-2026-21348?

CVE-2026-21348 has a CVSS score of 5.5 (MEDIUM). Substance3D Modeler versions 1.22.5 and earlier contain an out-of-bounds read vulnerability that could allow memory exposure. An attacker could exploit this by tricking a user into opening a malicious file, potentially disclosing sensitive information from memory. Users of affected Substance3D Modeler versions are at risk.

📋 TL;DR

Substance3D Modeler versions 1.22.5 and earlier contain an out-of-bounds read vulnerability that could allow memory exposure. An attacker could exploit this by tricking a user into opening a malicious file, potentially disclosing sensitive information from memory. Users of affected Substance3D Modeler versions are at risk.

💻 Affected Systems

Products:

Adobe Substance3D Modeler

Versions: 1.22.5 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable by default when opening files.

📦 What is this software?

Substance 3d Modeler by Adobe

View all CVEs affecting Substance 3d Modeler →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive information like passwords, encryption keys, or proprietary data could be extracted from memory, leading to data breaches or further system compromise.

🟠

Likely Case

Limited memory disclosure of non-critical data due to the need for user interaction and specific file types.

🟢

If Mitigated

No impact if users avoid opening untrusted files or have patched software.

🌐 Internet-Facing: LOW - Exploitation requires user interaction with malicious files, not direct network access.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM - Requires crafting malicious files and social engineering.

Exploitation depends on user interaction to open malicious files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.22.6 or later

Vendor Advisory: https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-22.html

Restart Required: Yes

Instructions:

1. Open Substance3D Modeler. 2. Go to Help > Check for Updates. 3. Install update to version 1.22.6 or later. 4. Restart the application.

🔧 Temporary Workarounds

Restrict file handling

all

Configure software to only open trusted file types or from trusted sources.

User awareness training

all

Train users to avoid opening untrusted or unexpected files.

🧯 If You Can't Patch

Disable Substance3D Modeler until patched.
Use application whitelisting to block execution of vulnerable versions.

🔍 How to Verify

Check if Vulnerable:

Check Substance3D Modeler version in application settings or About dialog.

Check Version:

Open Substance3D Modeler and navigate to Help > About Substance3D Modeler.

Verify Fix Applied:

Confirm version is 1.22.6 or later after update.

📡 Detection & Monitoring

Log Indicators:

Application crash logs from Substance3D Modeler
Unexpected file access attempts

Network Indicators:

Downloads of suspicious files by users

SIEM Query:

source="Substance3D Modeler" AND (event_type="crash" OR file_path="*.sbsar")

📊 Metadata

CVE ID: CVE-2026-21348

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-125

EPSS Score: 0.02% exploit probability (5th percentile)

Published: February 10, 2026

Last Updated: February 12, 2026

🔗 References

https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-22.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21348, you might also want to check these: