What is CVE-2026-21303?

Adobe Substance3D Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability. This vulnerability could lead to memory exposure and sensitive information disclosure. User interaction is required for exploitation.

What is the severity of CVE-2026-21303?

CVE-2026-21303 has a severity rating of MEDIUM with a CVSS base score of 5.5.

CVE-2026-21303 | Medium Vulnerability in Adobe Substance3D Modeler

Adobe Substance3D Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

The vulnerability has been classified with a CVSS score of 5.5, indicating a medium severity. This classification highlights the potential risks associated with this vulnerability, particularly the possible disclosure of sensitive information.

Organizations using affected versions should prioritize patching to mitigate this risk and protect sensitive data from unauthorized access.

Given that exploitation requires user interaction, the attack vector is deemed local, which may limit the scope of potential attacks. However, organizations should remain vigilant and ensure that users are aware of the risks associated with opening untrusted files.

Vulnerability Details

The Out-of-bounds Read vulnerability in Adobe Substance3D Modeler affects versions 1.22.4 and earlier. According to the CVSS 3.1 vector string, the attack vector is local (AV:L), with low attack complexity (AC:L), no privileges required (PR:N), and user interaction required (UI:R). The vulnerability impacts confidentiality with a high impact (C:H), while integrity (I:N) and availability (A:N) are not affected.

This vulnerability has been assigned CWE-125, which refers to "Out-of-bounds Read." Adobe has categorized this vulnerability as analyzed and published details on January 13, 2026.

Technical Analysis

The root cause of this vulnerability lies in the improper handling of memory access, leading to the potential exposure of sensitive information. The attack vector is local, as user interaction is required, specifically the opening of a malicious file. The attack complexity is low, making it easier for attackers to exploit this vulnerability if the user is tricked into opening the file.

No elevated privileges are required to exploit the vulnerability, and user interaction is mandatory, which implies that users must be cautious about the files they open. The confidentiality impact is classified as high, signaling a significant risk of sensitive data exposure, while integrity and availability impacts remain unaffected.

Risk & Impact Analysis

Risk to organizations includes the potential exposure of sensitive information stored in memory, which could be exploited by attackers if users are not vigilant. The blast radius potential is moderate, as exploitation requires user interaction, limiting the scope of the attack. However, organizations must remain proactive in educating users about the dangers of opening untrusted files.

Given the CVSS score of 5.5, organizations should address this vulnerability in their priority patch cycle. The medium severity indicates that while immediate action is necessary, it may not be classified as critical.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

Substance3D Modeler versions 1.22.4 and earlier are affected by this vulnerability. Organizations should update to version 1.22.5 or later to mitigate the risk.

Mitigation & Remediation

Organizations should prioritize patching immediately. Upgrading to version 1.22.5 or later will resolve the vulnerability. If a patch is not immediately available, organizations should implement user training on safe file handling practices to reduce the risk of exploitation.

Detection Guidance

Monitoring for anomalous file access patterns and logging errors related to memory access can help detect potential exploitation attempts. Organizations should also consider implementing behavioral analysis tools to identify suspicious file interactions.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2026-21303 lies in its potential to expose sensitive user data, emphasizing the importance of secure coding practices in software development. Security teams should draw lessons from this vulnerability to enhance user awareness and implement robust input validation mechanisms.

For further guidance on securing applications, organizations can refer to our application security assessment resources and best practices.

Additionally, organizations should remain informed about emerging vulnerabilities by following our vulnerability management program updates.

Finally, organizations can enhance their resilience against potential exploits by engaging in penetration testing practices.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-21303: Medium Vulnerability in Adobe Substance3D Modeler