Cyber Posture

CVE-2026-21345

High

Published: 10 February 2026

Published
10 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 9.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21345 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Adobe Substance 3D Stager. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires timely identification, testing, and installation of patches to remediate known flaws like this out-of-bounds read vulnerability in Substance3D Stager.

SI-5 Security Alerts, Advisories, and Directives good match
prevent

Mandates receipt, dissemination, and implementation of vendor security alerts and advisories such as Adobe APSB26-20 for this specific CVE.

SI-16 Memory Protection partial match
prevent

Implements memory protection mechanisms that can prevent unauthorized access and exploitation of out-of-bounds reads leading to arbitrary code execution.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

Out-of-bounds read in file parser enables arbitrary code execution when a user opens a crafted local file (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to…

more

execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Deeper analysisAI

CVE-2026-21345 is an out-of-bounds read vulnerability (CWE-125) affecting Substance3D - Stager versions 3.1.6 and earlier. The flaw occurs when parsing a crafted file, which could result in a read past the end of an allocated memory structure. Published on 2026-02-10T19:15:57.457, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Exploitation requires an attacker to have local access and relies on user interaction, as a victim must open a malicious file. No privileges are needed (PR:N), and low attack complexity (AC:L) enables unauthenticated local attackers to leverage the issue. Successful exploitation allows arbitrary code execution in the context of the current user, with high impacts on confidentiality, integrity, and availability.

Adobe security bulletin APSB26-20 provides details on the vulnerability and mitigation. For patch information and remediation guidance, refer to https://helpx.adobe.com/security/products/substance3d_stager/apsb26-20.html.

Details

CWE(s)
CWE-125

Affected Products

adobe
substance 3d stager
≤ 3.1.7

CVEs Like This One

CVE-2026-21343Same product: Adobe Substance 3D Stager
CVE-2026-21344Same product: Adobe Substance 3D Stager
CVE-2025-21128Same product: Adobe Substance 3D Stager
CVE-2026-21322Same product: Apple Macos
CVE-2026-27284Same product: Apple Macos
CVE-2026-21341Same product: Adobe Substance 3D Stager
CVE-2026-27274Same product: Adobe Substance 3D Stager
CVE-2026-21324Same product: Apple Macos
CVE-2025-21132Same product: Adobe Substance 3D Stager
CVE-2026-27269Same product: Apple Macos

References