How is CVE-2026-48306 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network exposure is required to deliver the exploit. Authentication (not-required): No account or credentials are needed to exploit this vulnerability; the attack is carried out through a malicious file rather than an authenticated session. Victim interaction (required): A victim must be socially engineered into opening a crafted file, making this a user-driven trigger rather than a purely passive exposure. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions, race timing, or memory layout requirements on the attacker.

What is the impact of CVE-2026-48306?

The attacker executes arbitrary code running as the logged-in user, gaining full control of any process or file that user can access. Confidential files, credentials, and application data readable by that user account are exposed to the attacker. The attacker can write or overwrite files owned by that user, including configuration files, documents, and stored application state. The affected application and any dependent processes can be crashed or manipulated, disrupting the victim's local workstation.

Back to search

HIGHCVE-2026-48306Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-48306: Substance3D - Sampler | Out-of-bounds Write (CWE-787)

Substance3D - Sampler versions 6.0.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability affects Adobe Substance3D - Sampler versions 6.0.0 and earlier. The attack is local and requires no prior authentication, but a victim must be tricked into opening a malicious file. Successful exploitation gives the attacker full code execution running as the current user, enabling complete read, write, and control of anything that user can access. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Adobe publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images containing affected versions of Substance3D - Sampler. Any image carrying a package version at or below 6.0.0 is flagged automatically.

Available

Triage

Triage is available with the CVSS 3.1 score of 7.8 (HIGH) applied to each matched image, weighted against each customer organization's compliance policy. Findings are routed to the appropriate team inbox based on per-environment severity thresholds and policy configuration.

Available

Patch

Because no fix version has been published by Adobe, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, a rebuild, regression-test run, and PR against affected workloads will be triggered as soon as a fixed version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required to deliver the exploit.
AuthenticationNot required
No account or credentials are needed to exploit this vulnerability; the attack is carried out through a malicious file rather than an authenticated session.
Victim interactionRequired
A victim must be socially engineered into opening a crafted file, making this a user-driven trigger rather than a purely passive exposure.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions, race timing, or memory layout requirements on the attacker.

Blast Radius

The attacker executes arbitrary code running as the logged-in user, gaining full control of any process or file that user can access.
Confidential files, credentials, and application data readable by that user account are exposed to the attacker.
The attacker can write or overwrite files owned by that user, including configuration files, documents, and stored application state.
The affected application and any dependent processes can be crashed or manipulated, disrupting the victim's local workstation.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Adobe advisory for CVE-2026-48306, with the scanner flagging every image that packages Substance3D - Sampler at or below version 6.0.0. Because Adobe has not yet published a fix, no patched rebuild is available upstream; HarborGuard re-evaluates the advisory on each ingest cycle and will make a rebuilt image available automatically the moment a fix version is confirmed. In the interim, compensating controls are worth considering: network-policy isolation to limit what a compromised user process can reach, egress filtering to prevent outbound callbacks from an exploited workload, and any feature-flag or application-level gating that restricts untrusted file ingestion by the affected application. For customers with auto-remediation enabled, a rebuild, regression-test run, and PR against affected workloads will be triggered as soon as the upstream patch is available, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes once a fix version exists.

See how HarborGuard automates this

Affected packages

Adobe / Substance3D - Sampler
≤ 6.0.0

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified