CVE-2025-61835

// CVE-2025-61835 PoC - Integer Underflow in Adobe Substance3D Stager // This PoC demonstrates the vulnerability trigger mechanism // Note: Actual exploit requires crafting specific file format #include <stdio.h> #include <stdint.h> #include <string.h> // Malicious file structure to trigger integer underflow typedef struct { uint32_t magic; // File magic number uint32_t version; // File version uint32_t data_count; // Number of data entries uint32_t data_size; // Size of data (can trigger underflow) uint8_t payload[1024]; // Malicious payload } malicious_file_t; // Function that demonstrates the vulnerable code pattern void process_data_entry(uint32_t count, uint32_t size) { // Vulnerable: No validation before subtraction // If size < count, the calculation underflows uint32_t remaining = size - count; // Integer underflow occurs here // Allocate buffer based on underflowed value uint8_t* buffer = (uint8_t*)malloc(remaining); // Write data to undersized buffer - heap overflow // This can be exploited for arbitrary code execution } int main() { printf("CVE-2025-61835 PoC Trigger\n"); printf("Target: Adobe Substance3D Stager <= 3.1.5\n"); printf("Vulnerability: Integer Underflow\n"); // Example trigger values uint32_t count = 100; uint32_t size = 50; // size < count triggers underflow process_data_entry(count, size); return 0; } // To exploit: // 1. Create a malicious .sbsar or .sbs file // 2. Modify file header with crafted size values // 3. Open file in Adobe Substance3D Stager // 4. Integer underflow triggers, leading to code execution

{"cve": {"id": "CVE-2025-61835", "sourceIdentifier": "[email protected]", "published": "2025-11-11T21:15:39.563", "lastModified": "2025-11-12T18:40:58.943", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Substance3D - Stager versions 3.1.5 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-191"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.1.6", "matchCriteriaId": "6EEF4010-0833-4D6B-9C45-FC8F85B3496A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/substance3d_stager/apsb25-113.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}