CVE-2025-21138

High

Published: 14 January 2025

Published

14 January 2025

Modified

21 January 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0014 34.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Substance3D - Designer versions 14.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Summary

CVE-2025-21138 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe Substance3D Designer versions 14.0 and earlier. Published on 2025-01-14, the flaw could result in arbitrary code execution in the context of the current user.

Exploitation requires user interaction, as a victim must open a malicious file. An attacker needs only local access with no privileges (AV:L/AC:L/PR:N/UI:R), and successful exploitation grants high impacts on confidentiality, integrity, and availability (CVSS:3.1 score of 7.8; S:U/C:H/I:H/A:H).

Adobe's security bulletin APSB25-06 provides details on mitigation: https://helpx.adobe.com/security/products/substance3d_designer/apsb25-06.html.

Details

CWE(s): CWE-787

Affected Products

adobe

substance 3d designer

≤ 14.1

References

https://helpx.adobe.com/security/products/substance3d_designer/apsb25-06.html
Vendor Advisory · psirt@adobe.com