CVE-2025-21136

High

Published: 14 January 2025

Published

14 January 2025

Modified

21 January 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0014 34.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Substance3D - Designer versions 14.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Summary

CVE-2025-21136 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe Substance3D Designer versions 14.0 and earlier. Published on 2025-01-14, this issue could result in arbitrary code execution in the context of the current user.

The attack requires local access (AV:L) with no privileges (PR:N), but user interaction (UI:R) is necessary, as a victim must open a malicious file. Successful exploitation enables an attacker to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with an overall CVSS v3.1 score of 7.8, allowing arbitrary code execution in the user's context.

Mitigation details are provided in Adobe Security Bulletin APSB25-06, available at https://helpx.adobe.com/security/products/substance3d_designer/apsb25-06.html.

Details

CWE(s): CWE-787

Affected Products

adobe

substance 3d designer

≤ 14.1

References

https://helpx.adobe.com/security/products/substance3d_designer/apsb25-06.html
Vendor Advisory · psirt@adobe.com