CVE-2026-27274
Published: 10 March 2026
Summary
CVE-2026-27274 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Substance 3D Stager. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and remediation of flaws like the out-of-bounds write vulnerability in Substance3D-Stager versions 3.1.7 and earlier via available Adobe patches.
Mandates vulnerability scanning to identify deployed instances of vulnerable Substance3D-Stager software, enabling remediation before exploitation by malicious files.
Deploys malicious code protection at file entry points to scan, block, or alert on malicious files crafted to trigger the out-of-bounds write in Substance3D-Stager.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in a desktop file parser directly enables arbitrary code execution when the user opens a crafted file, mapping to User Execution: Malicious File.
NVD Description
Substance3D - Stager versions 3.1.7 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must…
more
open a malicious file.
Deeper analysisAI
CVE-2026-27274 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe Substance3D - Stager versions 3.1.7 and earlier. The flaw allows for arbitrary code execution in the context of the current user when a victim opens a malicious file. It has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.
Exploitation requires local access and user interaction, as an attacker must trick a victim into opening a specially crafted malicious file. No special privileges are needed (PR:N), and the attack complexity is low (AC:L). Successful exploitation results in arbitrary code execution with the privileges of the current user, potentially leading to full system compromise for that user.
Adobe Security Bulletin APSB26-29, available at https://helpx.adobe.com/security/products/substance3d_stager/apsb26-29.html, provides details on mitigation, including available patches for affected versions. Security practitioners should ensure Substance3D - Stager is updated to a patched version and advise users to avoid opening untrusted files.
Details
- CWE(s)