CVE-2026-21364 is a NULL Pointer Dereference vulnerability (CWE-476) identified in Adobe Substance3D - Painter versions 11.1.2 and earlier. This vulnerability arises when the application attempts to dereference a null pointer during processing of certain input data, specifically when opening a maliciously crafted file. The result is an application crash leading to denial-of-service (DoS). The vulnerability requires user interaction, as the victim must open the malicious file for exploitation to occur. No elevated privileges are required, and the attack vector is local (AV:L), meaning the attacker must have access to deliver the malicious file to the user. The CVSS v3.1 base score is 5.5, reflecting a medium severity primarily due to the impact on availability without affecting confidentiality or integrity. There are no known exploits in the wild, and Adobe has not yet released patches or mitigations. This vulnerability could disrupt workflows in creative environments relying on Substance3D - Painter, potentially causing productivity loss and operational interruptions. The root cause is improper handling of null pointers in the application code, which should be addressed by input validation and robust error handling in future updates.

The primary impact of this vulnerability is denial-of-service through application crashes, which can disrupt creative workflows and delay project timelines for organizations using Adobe Substance3D - Painter. While it does not compromise data confidentiality or integrity, the availability impact can be significant for studios, design firms, and enterprises relying on this software for 3D texturing and painting tasks. Repeated exploitation could lead to productivity losses and increased support costs. Since exploitation requires user interaction, social engineering or phishing campaigns could be used to deliver malicious files. The lack of known exploits reduces immediate risk, but the medium severity score indicates a moderate threat level. Organizations with large teams using this software may experience operational disruptions if the vulnerability is exploited at scale.

1. Educate users to avoid opening files from untrusted or unknown sources, especially unsolicited attachments or downloads. 2. Implement strict file validation and sandboxing where possible to isolate Substance3D - Painter processes. 3. Monitor for updates from Adobe and apply patches promptly once available. 4. Use endpoint protection solutions that can detect anomalous application crashes or suspicious file activity related to Substance3D - Painter. 5. Maintain regular backups of work to minimize impact from unexpected application crashes. 6. Consider restricting file sharing channels or scanning files before distribution within the organization. 7. Engage with Adobe support or security advisories for any interim workarounds or hotfixes. 8. Incorporate application whitelisting and least privilege principles to limit exposure.