CVE-2026-21345 is an out-of-bounds read vulnerability (CWE-125) affecting Adobe Substance3D - Stager versions 3.1.6 and earlier. The vulnerability arises during the parsing of crafted files, where the software reads beyond the end of an allocated memory buffer. This memory corruption can be leveraged by attackers to execute arbitrary code within the context of the current user. The attack vector requires local user interaction, meaning the victim must open a maliciously crafted file to trigger the vulnerability. The CVSS v3.1 base score is 7.8, reflecting high severity due to the potential for complete compromise of the affected system's confidentiality, integrity, and availability. The vulnerability does not require prior authentication but does require user action, limiting remote exploitation to social engineering or phishing scenarios. No patches are currently linked, and no known exploits have been observed in the wild, indicating the vulnerability is newly disclosed. Adobe Substance3D - Stager is a 3D design and staging tool used primarily in creative industries, making the vulnerability relevant to organizations involved in digital content creation and design workflows.

The vulnerability allows attackers to execute arbitrary code with the privileges of the current user, potentially leading to full system compromise if the user has elevated rights. Confidential data processed or stored by Substance3D - Stager could be exposed or altered, and the integrity of design files may be compromised. Availability could also be affected if attackers deploy malware or ransomware post-exploitation. Since exploitation requires user interaction, the risk is higher in environments where users frequently open files from untrusted sources. Creative agencies, design studios, and enterprises relying on Adobe Substance3D - Stager for critical workflows could face operational disruption, intellectual property theft, and reputational damage. The absence of known exploits in the wild suggests a window of opportunity for defenders to implement mitigations before active attacks emerge.

1. Monitor Adobe’s official channels for patches and apply updates promptly once available. 2. Implement strict file handling policies, restricting the opening of files from untrusted or unknown sources within Substance3D - Stager. 3. Employ endpoint protection solutions capable of detecting anomalous behavior related to memory corruption and code execution. 4. Educate users on the risks of opening unsolicited or suspicious files, emphasizing phishing and social engineering awareness. 5. Use application whitelisting and sandboxing techniques to limit the impact of potential exploitation. 6. Regularly back up critical design files and maintain offline copies to ensure recovery in case of compromise. 7. Consider network segmentation to isolate systems running Substance3D - Stager from broader enterprise networks to limit lateral movement.