Cyber Resilience

CVE-2026-21343

High

Published: 10 February 2026

Published
10 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 10.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21343 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Adobe Substance 3D Stager. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-10 (Software Usage Restrictions).

Deeper analysis

CVE-2026-21343 is an out-of-bounds read vulnerability (CWE-125) affecting Adobe Substance3D Stager versions 3.1.6 and earlier. The flaw occurs when parsing a crafted file, leading to a read past the end of an allocated memory structure. Published on 2026-02-10, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Exploitation requires local access (AV:L) and user interaction (UI:R), with low attack complexity (AC:L) and no privileges (PR:N). An attacker can craft a malicious file and trick a victim into opening it, potentially achieving arbitrary code execution in the context of the current user, with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

Adobe's Product Security Bulletin APSB26-20 at https://helpx.adobe.com/security/products/substance3d_stager/apsb26-20.html addresses the vulnerability and provides associated mitigation guidance.

EU & UK References

Vulnerability details

Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to…

more

execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Out-of-bounds read in file parser enables RCE via crafted malicious file opened by user (local, no privileges required).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21344Same product: Adobe Substance 3D Stager
CVE-2026-21345Same product: Adobe Substance 3D Stager
CVE-2026-21324Same product: Apple Macos
CVE-2026-27284Same product: Apple Macos
CVE-2026-27274Same product: Adobe Substance 3D Stager
CVE-2026-21322Same product: Apple Macos
CVE-2025-21128Same product: Adobe Substance 3D Stager
CVE-2026-21341Same product: Adobe Substance 3D Stager
CVE-2026-27287Same product: Apple Macos
CVE-2025-21132Same product: Adobe Substance 3D Stager

Affected Assets

adobe
substance 3d stager
≤ 3.1.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the out-of-bounds read vulnerability in Substance3D Stager by applying patches from Adobe's APSB26-20 bulletin.

prevent

Implements memory protections like ASLR and DEP to mitigate code execution from the out-of-bounds read past allocated structures.

prevent

Restricts execution to approved, patched versions of Substance3D Stager via application whitelisting, preventing use of vulnerable releases.

References