EUVD-2026-35798
GHSA-vrf3-mcj3-jvch
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Substance3D - Sampler versions 6.0.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
AnalysisAI
Arbitrary code execution in Adobe Substance3D Sampler versions 6.0.0 and earlier occurs when a victim opens a maliciously crafted file, triggering an out-of-bounds write (CWE-787) in the application's file parser. Exploitation runs in the context of the current user and no public exploit identified at time of analysis, though the high CVSS of 7.8 reflects the full local impact triad once a user is socially engineered into opening the file.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to open a malicious file in Substance3D Sampler 6.0.0 or earlier - this is the explicit prerequisite stated in the description (UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H accurately describes a client-side file-open vulnerability: the attack vector is Local because the malicious file must be processed by the local application, complexity is low, no prior privileges are required (PR:N), but user interaction is required (UI:R) - the victim must open the file. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious Substance3D-compatible asset file (for example an SBSAR material pack or scan project) that triggers the out-of-bounds write in the parser and embeds shellcode or a loader. The file is delivered via phishing email, a compromised asset marketplace, a Discord/forum share among 3D artists, or a poisoned cloud-storage link; when the designer double-clicks the file or imports it into Sampler, code executes in the context of their user account, allowing the attacker to harvest source assets, deploy ransomware, or pivot into the studio's pipeline. |
| Remediation | Patch available per vendor advisory - upgrade Substance3D Sampler to the version specified in Adobe Security Bulletin APSB26-60 at https://helpx.adobe.com/security/products/substance3d-sampler/apsb26-60.html (consult the bulletin for the exact fixed version, as it is not enumerated in the provided intelligence). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Adobe Substance3D Sampler 6.0.0 and earlier installations and communicate usage restrictions to affected teams. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Arbitrary code execution in Adobe Substance3D Sampler 6.0.0 and earlier occurs when a user opens a maliciously crafted 3
Arbitrary code execution in Adobe Substance3D Sampler versions 6.0.0 and earlier occurs through an out-of-bounds write t
Arbitrary code execution in Adobe Substance3D Sampler 6.0.0 and earlier occurs when a user opens a maliciously crafted a
Share
External POC / Exploit Code
Leaving vuln.today