CVE-2026-21334
Published: 10 February 2026
Summary
CVE-2026-21334 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Substance 3D Designer. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely flaw remediation, directly preventing exploitation of the out-of-bounds write vulnerability in Substance3D Designer by applying patches from Adobe bulletin APSB26-19.
SI-16 implements memory protections such as DEP and ASLR that directly mitigate out-of-bounds writes from resulting in arbitrary code execution.
SI-10 requires validation of file inputs to the application, addressing malformed files that trigger the out-of-bounds write but not fully eliminating the underlying memory handling flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write enables arbitrary code execution via malicious file opened by user (local, no privileges), directly mapping to client-side exploitation and malicious file user execution.
NVD Description
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must…
more
open a malicious file.
Deeper analysisAI
CVE-2026-21334 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe Substance3D Designer versions 15.1.0 and earlier. This flaw can result in arbitrary code execution in the context of the current user. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-02-10T18:16:31.303.
Exploitation requires local access and user interaction, specifically tricking a victim into opening a malicious file. No privileges are needed (PR:N), and the attack has low complexity (AC:L). A successful exploit grants the attacker high-impact control over confidentiality, integrity, and availability in the user's context.
Adobe Security Bulletin APSB26-19 details the issue and mitigation steps at https://helpx.adobe.com/security/products/substance3d_designer/apsb26-19.html.
Details
- CWE(s)