Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
AnalysisAI
Arbitrary code execution in Adobe Substance3D Stager 3.1.7 and earlier allows local attackers to execute malicious code with user privileges through specially crafted files. Exploitation requires social engineering to trick users into opening weaponized Stager project files. No public exploit identified at time of analysis, though the use-after-free vulnerability class is well-understood and exploitable. CVSS 7.8 (High) reflects significant impact if exploited, though local attack vector and user interaction requirement reduce immediate risk compared to remotely exploitable flaws.
Technical ContextAI
This vulnerability affects Adobe Substance3D Stager (cpe:2.3:a:adobe:substance3d_-_stager), a 3D scene design and rendering application used by creative professionals. The root cause is CWE-416 (Use After Free), a memory corruption condition where the application continues to use a memory pointer after the referenced memory has been freed. In C/C++ applications like Substance3D Stager, use-after-free conditions occur when the program deallocates memory but retains pointers to that location, allowing subsequent operations to access freed memory. Attackers can exploit this by controlling the contents of the freed memory region, potentially redirecting program execution flow to attacker-controlled code. The vulnerability manifests during file parsing operations, suggesting malformed or malicious Stager project files can trigger the unsafe memory access pattern. All versions through 3.1.7 contain the vulnerable code path.
RemediationAI
Adobe has released security updates addressing this vulnerability in bulletin APSB26-29. Users should immediately upgrade to the patched version specified in the vendor advisory at https://helpx.adobe.com/security/products/substance3d_stager/apsb26-29.html. The Adobe Creative Cloud desktop application typically provides automatic update notifications for Substance3D products. IT administrators managing enterprise deployments should use Adobe Remote Update Manager or other deployment tools to push the security update across managed workstations. Until patching is complete, organizations should implement compensating controls including restricting Substance3D Stager file sources to trusted repositories, implementing email attachment filtering for Stager project file extensions, and user awareness training about opening unsolicited 3D project files. No effective workaround exists that allows continued use of vulnerable versions while mitigating the risk, making version upgrade the only complete remediation.
Same weakness CWE-416 – Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16854