Arbitrary Code Execution Vulnerability in Substance3D Painter Could Lead to User Data Theft
CVE-2024-20744

7.8HIGH

Key Information:

Vendor: Adobe
Status: Substance3d - Painter
Vendor: CVE Published:; 15 February 2024

Summary

An out-of-bounds write vulnerability exists in Adobe Substance3D Painter versions 9.1.1 and earlier. This flaw can lead to arbitrary code execution within the context of the current user, posing significant security risks. Successful exploitation necessitates user interaction, as the victim must open a specially crafted malicious file. Users of affected versions are encouraged to implement the latest security updates and to exercise caution when handling untrusted files.

Affected Version(s)

Substance3D - Painter 0 <= 9.1.1

References

https://helpx.adobe.com/security/products/substance3d_pai...

vendor-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 15, 2024
Vulnerability Reserved
Dec 4, 2023