ZDI-CAN-20256: Adobe Substance 3D Stager USD File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability
CVE-2023-26391

7.8HIGH

Key Information:

Vendor: Adobe
Status: Substance3D - Stager
Vendor: CVE Published:; 12 April 2023

Summary

Adobe Substance 3D Stager versions 2.0.1 and earlier contain an out-of-bounds read vulnerability that arises when parsing specially crafted files. This flaw could potentially allow an attacker to read memory beyond allocated data, which may lead to code execution in the context of the user. Exploitation of this vulnerability necessitates that a user inadvertently open a crafted file, highlighting the importance of user awareness and file integrity.

Affected Version(s)

Substance3D - Stager <= 2.0.1

Substance3D - Stager <= unspecified

References

https://helpx.adobe.com/security/products/substance3d_sta...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 12, 2023
Vulnerability Reserved
Feb 22, 2023