How is CVE-2026-48305 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network-facing exposure is required to trigger this vulnerability. Authentication (not-required): No account or credentials are required; the exploit is reachable by any unauthenticated party who can deliver a malicious file to the victim. Victim interaction (required): The victim must open a malicious file, making this a social-engineering dependent attack where the attacker must convince a user to open the crafted document. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or other environmental prerequisites beyond the victim opening the file.

What is the impact of CVE-2026-48305?

Executes arbitrary code in the context of the logged-in user, giving the attacker full control over that user session. Reads files and secrets accessible to the current user, including credentials, project assets, and stored configuration. Writes or overwrites files on the local filesystem within the current user's permissions, enabling persistent implants or data destruction. Crashes or destabilizes the Substance3D - Sampler process, disrupting the local user's workflow and potentially corrupting open project files.

Back to search

HIGHCVE-2026-48305Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-48305: Substance3D - Sampler | Out-of-bounds Write (CWE-787)

Substance3D - Sampler versions 6.0.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability affects Adobe Substance3D - Sampler versions 6.0.0 and earlier. The flaw is triggered locally when a user opens a specially crafted file, requiring no prior authentication but demanding that a victim perform that file-open action. Successful exploitation gives the attacker full code execution running as the current user, enabling data theft, file modification, and further system compromise. No fix version has been published yet; HarborGuard tracks the advisory and will flag patched rebuilds the moment upstream releases one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built images that bundle Substance3D - Sampler at or below version 6.0.0.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.8 HIGH and weighting it against each customer environment's compliance policy to prioritize accordingly; findings can be routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version exists yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Adobe publishes a remediated release. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and PR against affected workloads will be triggered without manual intervention once that upstream fix lands.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-facing exposure is required to trigger this vulnerability.
AuthenticationNot required
No account or credentials are required; the exploit is reachable by any unauthenticated party who can deliver a malicious file to the victim.
Victim interactionRequired
The victim must open a malicious file, making this a social-engineering dependent attack where the attacker must convince a user to open the crafted document.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or other environmental prerequisites beyond the victim opening the file.

Blast Radius

Executes arbitrary code in the context of the logged-in user, giving the attacker full control over that user session.
Reads files and secrets accessible to the current user, including credentials, project assets, and stored configuration.
Writes or overwrites files on the local filesystem within the current user's permissions, enabling persistent implants or data destruction.
Crashes or destabilizes the Substance3D - Sampler process, disrupting the local user's workflow and potentially corrupting open project files.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-48305 is active across all customer environments, matching any image that includes Substance3D - Sampler at or below version 6.0.0. Because Adobe has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available immediately upon upstream release. For customers with auto-remediation enabled, that moment triggers an automatic rebuilt image, regression run, and PR opened against affected workloads, with no manual steps required. In the interim, compensating controls worth considering include restricting file-open workflows for untrusted content sources via OS-level sandboxing or application-layer policies, applying network-policy isolation to hosts running Sampler to limit lateral movement if the host is compromised, and using egress filtering to reduce attacker reach in the event code execution is achieved.

See how HarborGuard automates this

Affected packages

Adobe / Substance3D - Sampler
≤ 6.0.0

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified