Zero Day MonitorZDM

← Back to list

7.8

CVE-2026-27309EXPLOITEDPATCHED

adobe · substance3d - stager

Substance3D - Stager | Use After Free (CWE-416)

Description

Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Affected Products

Vendor	Product	Versions
adobe	substance3d - stager	0

References

https://helpx.adobe.com/security/products/substance3d_stager/apsb26-29.html(vendor-advisory)

Related News (2 articles)

Tier C

VulDB2d ago

CVE-2026-27309 | Adobe Substance3D Stager up to 3.1.7 File use after free (apsb26-29)

→ No new info (linked only)

Tier C

VulDB2d ago

CVE-2026-27309 | Adobe Substance3D Stager up to 3.1.7 File use after free (apsb26-29 / EUVD-2026-16854)

→ No new info (linked only)

CVSS 3.17.8 HIGH

VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available3.1.8

CWECWE-416

Published3/27/2026

Last enriched2d agov3

Trending Score34

Source articles2

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

Multiple vulnerabilities in Adobe Creative Cloud applications

MEDIUMCVE-2026-21314

Audition versions 25.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive informati

MEDIUMCVE-2026-27217

Substance3D - Painter versions 11.1.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerabilit

MEDIUMCVE-2026-27223

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable f

HIGHCVE-2026-21352

DNG SDK versions 1.7.1 2410 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issu

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 27, 2026

Discovered by ZDM

Mar 27, 2026

Updated: severity, activelyExploited, patchAvailable

Mar 27, 2026

Updated: description

Mar 28, 2026

Actively Exploited

Mar 30, 2026

Patch Available

Mar 30, 2026

Version History

v3

Last enriched 2d ago

v3Tier C2d ago

Updated description with more technical detail, noted that no exploit exists, and corrected patch availability to null.

description

via VulDB

v2Tier C2d ago

Updated severity to CRITICAL, noted that no exploit exists, and added patch available version 3.1.8.

severityactivelyExploitedpatchAvailable

via VulDB

v12d ago

Initial creation