{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/painter--12.0.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-34675"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Painter (\u003c 12.0.2)"],"_cs_severities":["high"],"_cs_tags":["cve","out-of-bounds write","code execution"],"_cs_type":"advisory","_cs_vendors":["Adobe Systems Incorporated"],"content_html":"\u003cp\u003eAdobe Substance3D Painter versions 12.0.2 and earlier are susceptible to an out-of-bounds write vulnerability, identified as CVE-2026-34675. This vulnerability can be exploited if a user opens a specially crafted malicious file. Successful exploitation could allow an attacker to execute arbitrary code within the context of the current user, potentially leading to system compromise. The vulnerability requires user interaction, as the victim must open a malicious file for the exploit to be triggered. This issue poses a significant risk to organizations and individuals using the affected versions of Substance3D Painter, as it could lead to data breaches, malware infections, or complete system takeover.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious Substance3D Painter file.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious file to the victim. This could be achieved through various methods, such as email, file sharing platforms, or compromised websites.\u003c/li\u003e\n\u003cli\u003eThe victim, unaware of the malicious nature of the file, opens it using a vulnerable version of Adobe Substance3D Painter (\u0026lt;= 12.0.2).\u003c/li\u003e\n\u003cli\u003eThe vulnerable software attempts to process the crafted file.\u003c/li\u003e\n\u003cli\u003eDue to the out-of-bounds write vulnerability (CVE-2026-34675), the software writes data to an unintended memory location.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled data overwrites critical program data or code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to execute arbitrary code within the context of the user running Substance3D Painter.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as installing malware, stealing sensitive data, or gaining persistent access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34675 can lead to arbitrary code execution on the victim\u0026rsquo;s machine, within the context of the user running the vulnerable application. This could allow an attacker to steal sensitive information, install malware, or gain persistent access to the system. Given the potential for arbitrary code execution, this vulnerability poses a significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Adobe Substance3D Painter greater than 12.0.2 to remediate CVE-2026-34675.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious File Opens in Substance3D Painter\u0026rdquo; to identify attempts to exploit this vulnerability by monitoring file opening events.\u003c/li\u003e\n\u003cli\u003eImplement user awareness training to educate users about the risks of opening files from untrusted sources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:27:59Z","date_published":"2026-05-12T18:27:59Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-34675-substance3d/","summary":"Adobe Substance3D Painter versions 12.0.2 and earlier are vulnerable to an out-of-bounds write vulnerability (CVE-2026-34675) that could lead to arbitrary code execution if a user opens a malicious file.","title":"CVE-2026-34675: Adobe Substance3D Painter Out-of-Bounds Write Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-34675-substance3d/"}],"language":"en","title":"CraftedSignal Threat Feed — Painter (\u003c 12.0.2)","version":"https://jsonfeed.org/version/1.1"}