Substance3D Designer Out-of-Bounds Write Allows RCE
The National Vulnerability Database has disclosed CVE-2026-34682, an out-of-bounds write vulnerability affecting Adobe Substance3D Designer versions 15.1.0 and earlier. This flaw could lead to arbitrary code execution within the context of the current user, posing a significant risk to design professionals and organizations leveraging this software.
Exploitation requires user interaction: a victim must open a specially crafted malicious file. While this mitigates some risk, it’s a classic social engineering vector. Attackers will likely embed malicious payloads in project files, leveraging trust or curiosity to achieve initial access. The CVSS score of 7.8 (HIGH) reflects the potential for complete compromise of confidentiality, integrity, and availability once the code executes.
Organizations using Substance3D Designer must prioritize patching this vulnerability immediately. Given the nature of creative workflows, where users frequently exchange project files, the attack surface is broader than it might initially appear. Assume malicious files will find their way into your environment.
What This Means For You
- If your organization uses Adobe Substance3D Designer, immediately identify all instances running versions 15.1.0 or earlier. Prioritize patching to the latest secure version. Educate users on the risks of opening unsolicited or suspicious project files, even from seemingly legitimate sources.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-34682 - Substance3D Designer Malicious File Open
title: CVE-2026-34682 - Substance3D Designer Malicious File Open
id: scw-2026-05-12-ai-1
status: experimental
level: high
description: |
Detects the execution of Substance 3D Designer with a file extension commonly associated with project files (.sbs, .sbsar). This rule aims to identify potential exploitation of CVE-2026-34682 where a user opens a malicious Substance 3D Designer file, leading to an out-of-bounds write vulnerability and potential RCE.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-34682/
tags:
- attack.execution
- attack.t1204.002
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- 'substance designer.exe'
CommandLine|contains:
- '.sbs'
- '.sbsar'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-34682 | RCE | Substance3D - Designer versions 15.1.0 and earlier |
| CVE-2026-34682 | Memory Corruption | out-of-bounds write vulnerability |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 22:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
HashiCorp Nomad Code Execution (CVE-2026-7474) via Path Traversal
CVE-2026-7474 — HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This...
CVE-2026-44225: Pulpy Packager Allows Arbitrary File Access
CVE-2026-44225 — Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged...
ArcadeDB Critical Vulnerability Bypasses Authorization Across Databases
CVE-2026-44221 — ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate...