CVE-2023-26394: 
Adobe Substance 3D Stager vulnerability analysis and mitigation

Adobe Substance 3D Stager version 2.0.1 and earlier versions were found to contain a Heap-based Buffer Overflow vulnerability identified as CVE-2023-26394. The vulnerability was disclosed on April 11, 2023, affecting Adobe's Substance 3D Stager software on both Windows and macOS platforms (NVD).

The vulnerability stems from improper validation of user-supplied data length before copying it to a fixed-length heap-based buffer during USD file parsing. This flaw is classified as CWE-787 (Out-of-bounds Write) and CWE-122 (Heap-based Buffer Overflow). The vulnerability has received a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (ZDI).

If successfully exploited, this vulnerability could lead to arbitrary code execution in the context of the current user. The high CVSS score indicates potential severe impacts on system confidentiality, integrity, and availability (ZDI).

Adobe has released security updates to address this vulnerability. Users are advised to update to the latest version of Substance 3D Stager to mitigate this security risk (Adobe Advisory).