CVE-2026-21364 is a vulnerability identified in Adobe Substance3D - Painter, a widely used 3D texturing and painting application. The issue is a NULL Pointer Dereference (CWE-476) that occurs when the application attempts to access or dereference a pointer that has not been initialized or has been set to NULL. This leads to an application crash, causing a denial-of-service (DoS) condition. The vulnerability affects versions 11.1.2 and earlier. Exploitation requires a victim to open a maliciously crafted file, which triggers the NULL pointer dereference during file processing. The vulnerability does not allow for code execution or data leakage but disrupts availability by crashing the application. The CVSS v3.1 base score is 5.5, with attack vector local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), and high impact on availability (A:H). No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly once fixes are released.

The primary impact of CVE-2026-21364 is denial-of-service through application crashes, which can disrupt workflows for users relying on Adobe Substance3D - Painter. This can lead to productivity loss, especially in creative industries where timely content creation is critical. While the vulnerability does not compromise data confidentiality or integrity, repeated crashes could cause user frustration and potential data loss if unsaved work is lost. Organizations with large teams using this software may experience operational delays. Since exploitation requires user interaction and opening a malicious file, the risk is somewhat mitigated by user awareness and file source validation. However, targeted attacks using social engineering could still cause disruption. No known exploits in the wild reduce immediate risk, but the vulnerability remains a concern until patched.

Organizations should implement strict file handling policies, ensuring that only trusted files are opened in Adobe Substance3D - Painter. User training to recognize suspicious files and phishing attempts can reduce the risk of exploitation. Until a patch is released, consider sandboxing or running the application in a controlled environment to limit impact from crashes. Regular backups of work in progress can mitigate data loss from unexpected application termination. Monitor Adobe security advisories for updates and apply patches promptly once available. Additionally, consider network-level controls to restrict the receipt of potentially malicious files via email or file sharing platforms. Incident response plans should include procedures for handling application crashes and potential denial-of-service scenarios.