CVE-2026-21344

High

Published: 10 February 2026

Published

10 February 2026

Modified

11 February 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0003 9.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21344 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Adobe Substance 3D Stager. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the out-of-bounds read vulnerability in Substance3D Stager by identifying, prioritizing, and applying vendor patches from Adobe APSB26-20.

SI-16 Memory Protection good match

prevent

Implements memory protections such as bounds checking, ASLR, and DEP to prevent exploitation of the out-of-bounds read into arbitrary code execution.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability scanning identifies systems with vulnerable Substance3D Stager versions 3.1.6 and earlier affected by CVE-2026-21344 for remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

OOB read in file parser enables RCE via crafted local file opened by user (direct match to malicious file user execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to…

execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Deeper analysisAI

CVE-2026-21344 is an out-of-bounds read vulnerability (CWE-125) affecting Adobe Substance3D Stager versions 3.1.6 and earlier. The issue arises when parsing a crafted file, leading to a read past the end of an allocated memory structure. This vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-02-10.

Exploitation requires an attacker to have local access and relies on user interaction, as a victim must open a malicious file. No privileges are needed (PR:N). Successful exploitation allows the attacker to execute arbitrary code in the context of the current user, resulting in high impacts to confidentiality, integrity, and availability.

Adobe's security advisory APSB26-20, available at https://helpx.adobe.com/security/products/substance3d_stager/apsb26-20.html, provides further details on this vulnerability.

Details

CWE(s): CWE-125

Affected Products

adobe

substance 3d stager

≤ 3.1.7

CVEs Like This One

CVE-2026-21345Same product: Adobe Substance 3D Stager

CVE-2026-21343Same product: Adobe Substance 3D Stager

CVE-2025-21128Same product: Adobe Substance 3D Stager

CVE-2026-21322Same product: Apple Macos

CVE-2026-27284Same product: Apple Macos

CVE-2026-21341Same product: Adobe Substance 3D Stager

CVE-2026-27274Same product: Adobe Substance 3D Stager

CVE-2026-21324Same product: Apple Macos

CVE-2025-21132Same product: Adobe Substance 3D Stager

CVE-2026-27269Same product: Apple Macos

References

https://helpx.adobe.com/security/products/substance3d_stager/apsb26-20.html
Vendor Advisory · psirt@adobe.com