CVE-2026-21335
Published: 10 February 2026
Summary
CVE-2026-21335 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Substance 3D Designer. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely flaw remediation, including applying vendor patches for the out-of-bounds write vulnerability in Substance3D Designer as detailed in APSB26-19.
Implements memory protection safeguards like ASLR and DEP that prevent arbitrary code execution from out-of-bounds write memory corruption exploits.
Controls or prohibits user-installed software to block deployment of vulnerable versions of Substance3D Designer.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in client software enables arbitrary code execution when a user opens a malicious file (T1204.002), directly via client-side exploitation (T1203).
NVD Description
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must…
more
open a malicious file.
Deeper analysisAI
CVE-2026-21335 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe Substance3D Designer versions 15.1.0 and earlier. This flaw could lead to arbitrary code execution in the context of the current user when processing malicious files. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-02-10.
Exploitation requires local access and user interaction, specifically tricking a victim into opening a malicious file with the affected software. No special privileges are needed (PR:N), and the attack complexity is low (AC:L). Successful exploitation allows an attacker to achieve arbitrary code execution with the privileges of the current user, potentially compromising confidentiality, integrity, and availability.
The Adobe security bulletin APSB26-19 at https://helpx.adobe.com/security/products/substance3d_designer/apsb26-19.html provides details on mitigation, including available patches for affected versions.
Details
- CWE(s)