CVE-2026-21341

High

Published: 10 February 2026

Published

10 February 2026

Modified

11 February 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0004 12.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21341 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Substance 3D Stager. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the out-of-bounds write vulnerability in Substance3D Stager by identifying, prioritizing, and applying vendor-provided patches timely.

SI-16 Memory Protection partial match

prevent

Mitigates arbitrary code execution from the out-of-bounds write through memory protections such as address space randomization, non-executable memory, and stack canaries.

SI-3 Malicious Code Protection partial match

preventdetect

Scans for and blocks malicious files exploiting the vulnerability before they can be opened and processed by Substance3D Stager.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Out-of-bounds write in file parser enables RCE when victim opens crafted malicious file (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must…

open a malicious file.

Deeper analysisAI

CVE-2026-21341 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe Substance3D Stager versions 3.1.6 and earlier. The flaw occurs during processing of malicious files and can result in arbitrary code execution in the context of the current user.

Exploitation requires local access and user interaction, as a victim must open a specially crafted malicious file. No privileges are needed (PR:N), attack complexity is low (AC:L), and there is no change in scope (S:U). A successful attack grants high-impact access to confidentiality, integrity, and availability, earning a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Mitigation details are provided in Adobe Product Security Bulletin APSB26-20, available at https://helpx.adobe.com/security/products/substance3d_stager/apsb26-20.html.

Details

CWE(s): CWE-787

Affected Products

adobe

substance 3d stager

≤ 3.1.7

CVEs Like This One

CVE-2026-27274Same product: Adobe Substance 3D Stager

CVE-2025-21128Same product: Adobe Substance 3D Stager

CVE-2025-21132Same product: Adobe Substance 3D Stager

CVE-2026-27279Same product: Adobe Substance 3D Stager

CVE-2025-21131Same product: Adobe Substance 3D Stager

CVE-2026-27273Same product: Adobe Substance 3D Stager

CVE-2026-27275Same product: Adobe Substance 3D Stager

CVE-2025-21130Same product: Adobe Substance 3D Stager

CVE-2026-21342Same product: Adobe Substance 3D Stager

CVE-2026-21345Same product: Adobe Substance 3D Stager

References

https://helpx.adobe.com/security/products/substance3d_stager/apsb26-20.html
Vendor Advisory · psirt@adobe.com