ZDI-CAN-20258: Adobe Substance 3D Stager USDC File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability
CVE-2023-26389

7.8HIGH

Key Information:

Vendor: Adobe
Status: Substance3D - Stager
Vendor: CVE Published:; 12 April 2023

Summary

Adobe Substance 3D Stager versions up to 2.0.1 are exposed to an out-of-bounds read vulnerability. This issue arises when the application processes a specially crafted file, allowing attackers to read data beyond the allocated memory limits. Successful exploitation demands user interaction, as the malicious file must be opened by the victim. This could lead to unintended code execution in the context of the current user, posing potential security risks and data exposure.

Affected Version(s)

Substance3D - Stager <= 2.0.1

Substance3D - Stager <= unspecified

References

https://helpx.adobe.com/security/products/substance3d_sta...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 12, 2023
Vulnerability Reserved
Feb 22, 2023