CVE-2026-21343
HIGHCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Analysis
Code execution in Substance 3D Stager 3.1.6 and earlier results from an out-of-bounds read vulnerability in malformed file parsing that allows attackers to corrupt memory and execute arbitrary code within the user's context. The vulnerability requires user interaction, as victims must open a specially crafted file to trigger exploitation. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: inventory all Substance3D Stager installations and versions in use; disable file upload functionality if possible or restrict to trusted users only. Within 7 days: implement network segmentation to isolate affected systems and disable external access to Stager instances. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today