{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21300", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2025-12-12T22:01:18.191Z", "datePublished": "2026-01-13T20:20:18.309Z", "dateUpdated": "2026-01-14T18:52:48.415Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Substance3D - Modeler", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "1.22.4", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2026-01-13T17:00:00.000Z", "descriptions": [{"lang": "en", "value": "Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 5.5, "environmentalSeverity": "MEDIUM", "exploitCodeMaturity": "NOT_DEFINED", "integrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 5.5, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "NULL Pointer Dereference (CWE-476)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-01-13T20:20:18.309Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Substance3D - Modeler | NULL Pointer Dereference (CWE-476)"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T18:52:42.343477Z", "id": "CVE-2026-21300", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T18:52:48.415Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Substance3D - Modeler | NULL Pointer Dereference (CWE-476)", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modifiedScope": "UNCHANGED", "temporalScore": 5.5, "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "MEDIUM", "availabilityImpact": "HIGH", "environmentalScore": 5.5, "privilegesRequired": "NONE", "exploitCodeMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "LOCAL", "confidentialityImpact": "NONE", "environmentalSeverity": "MEDIUM", "availabilityRequirement": "NOT_DEFINED", "modifiedIntegrityImpact": "NONE", "modifiedUserInteraction": "REQUIRED", "modifiedAttackComplexity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAvailabilityImpact": "HIGH", "modifiedPrivilegesRequired": "NONE", "modifiedConfidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Adobe", "product": "Substance3D - Modeler", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.22.4"}], "defaultStatus": "affected"}], "datePublic": "2026-01-13T17:00:00.000Z", "references": [{"url": "https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "NULL Pointer Dereference (CWE-476)"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-01-13T20:20:18.309Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21300", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-14T18:52:42.343477Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-01-14T18:52:45.526Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-21300", "state": "PUBLISHED", "dateUpdated": "2026-01-13T20:20:18.309Z", "dateReserved": "2025-12-12T22:01:18.191Z", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "datePublished": "2026-01-13T20:20:18.309Z", "assignerShortName": "adobe"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:substance_3d_modeler:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5A6870D-D2DE-4B8F-8680-3717CA179D14", "versionEndExcluding": "1.22.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "id": "CVE-2026-21300", "lastModified": "2026-01-14T17:58:05.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "psirt@adobe.com", "type": "Primary"}]}, "published": "2026-01-13T21:15:53.630", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "psirt@adobe.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:29:57.515564+00:00", "value": {"mitigation_remediation": ["Acquire and install the latest version of Substance3D \u2013 Modeler once Adobe releases a patch that removes the null dereference flaw.", "Restrict access to untrusted or third\u2011party files by configuring the application or operating system to use a sandbox, thereby preventing malicious files from being executed by the protected environment.", "Monitor Adobe security advisories and apply any interim countermeasures recommended in future updates, such as stricter file validation or automated scanning of assets before opening."], "summary": {"action": "Monitor", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Adobe Substance3D \u2013 Modeler, versions 1.22.4 and all earlier releases.", "description_and_impact": "The vulnerability is a NULL Pointer Dereference that causes the Substance3D \u2013 Modeler application to crash when it processes a malicious file. The attack leads to a local application denial of service, allowing an adversary to interrupt the user\u2019s workflow but not to compromise the system isolation or data. The weakness is identified as CWE\u2011476 and is not an information disclosure or privilege escalation flaw.", "risk_and_exploitability": "The CVSS base score of 5.5 indicates moderate severity. Exploitation requires user interaction \u2013 a victim must open a specially crafted file \u2013 and the EPSS score is less than 1\u202f%, implying a very low observation of exploitation in the wild. The issue is not listed in CISA\u2019s KEV catalog. With no network\u2011based exposure, the risk is limited to affected users who may open malicious assets. The low probability of exploit combined with the moderate impact suggests that vigilance is recommended rather than an immediate mandatory fix."}}}}, "created": "2026-01-14T11:08:39.147066+00:00", "updated": "2026-04-18T06:30:25.916612+00:00", "vendors": ["adobe", "adobe$PRODUCT$substance_3d_modeler"]}