CVE-2026-27309
Published: 27 March 2026
Summary
CVE-2026-27309 is a high-severity Use After Free (CWE-416) vulnerability in Adobe Substance 3D Stager. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, testing, and remediation of flaws such as the Use After Free vulnerability in Substance3D Stager via security patches.
Implements memory safeguards like DEP and ASLR to protect against unauthorized code execution resulting from the Use After Free vulnerability.
Deploys malicious code protection at endpoints to scan and prevent opening of malicious files that exploit the vulnerability in Substance3D Stager.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in client application (Substance3D Stager) enables arbitrary code execution triggered by opening a malicious file, directly mapping to Exploitation for Client Execution (T1203) combined with User Execution: Malicious File (T1204.002).
NVD Description
Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim…
more
must open a malicious file.
Deeper analysisAI
CVE-2026-27309 is a Use After Free vulnerability (CWE-416) affecting Adobe Substance3D Stager versions 3.1.7 and earlier. This flaw occurs in the software's handling of certain operations, potentially leading to arbitrary code execution in the context of the current user. The vulnerability was published on 2026-03-27 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with low attack complexity.
Exploitation requires local access to the target system and user interaction, specifically a victim opening a malicious file. An attacker with no privileges (PR:N) can leverage this to achieve arbitrary code execution as the logged-in user, potentially compromising the victim's account, data, or system resources depending on user permissions.
Adobe's security bulletin APSB26-29, available at https://helpx.adobe.com/security/products/substance3d_stager/apsb26-29.html, provides details on the issue and mitigation steps for Substance3D Stager. Security practitioners should advise users to update to a patched version beyond 3.1.7 and avoid opening untrusted files in the application.
Details
- CWE(s)