Autodesk 3ds Max CVE-2026-0538
HIGHSeverity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
AnalysisAI
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted GIF file, triggering an out-of-bounds write (CWE-787) in its image-handling code. The flaw lets an attacker run code in the context of the user running 3ds Max; no public exploit identified at time of analysis and EPSS estimates exploitation probability at just 0.03%.
Technical ContextAI
Autodesk 3ds Max is a Windows-based 3D modeling, animation, and rendering suite widely used in VFX, game development, and architectural visualization. The CPE cpe:2.3:a:autodesk:3ds_max:*:*:*:*:*:*:*:* indicates the entire product line is in scope pending vendor version clarification. The root cause is CWE-787 (Out-of-Bounds Write) inside the GIF parser - likely a miscalculation of buffer length when decoding LZW-compressed frames, color tables, or extension blocks - which corrupts adjacent heap or stack memory and, when shaped carefully, allows control of execution flow to achieve arbitrary code execution.
RemediationAI
Patch available per vendor advisory - apply the fixed 3ds Max build distributed through Autodesk Access as described in ADSK-SA-2026-0002 (https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002); confirm the exact patched version against the advisory because it is not enumerated in the NVD data. Until patching is complete, instruct artists and pipeline engineers not to open GIF files from untrusted sources or shared download folders inside 3ds Max, sanitize or convert externally-sourced texture/reference assets through an image-processing tool that re-encodes GIFs (which removes attacker-controlled byte patterns at the cost of a small preprocessing step in the asset pipeline), and consider running 3ds Max under a standard user account so that any successful exploitation is constrained to that user's context rather than administrative privileges.
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, re
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, tr
Stack-based buffer overflow in Autodesk 3ds Max enables arbitrary code execution when the application parses a malicious
Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL
Arbitrary code execution in Autodesk 3ds Max occurs when users open max files from maliciously crafted project directori
Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a malicious
Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously c
Autodesk 3ds Max is vulnerable to arbitrary code execution when processing maliciously crafted GIF files due to a stack-
A maliciously crafted SKP file in Autodesk products is used to trigger use-after-free vulnerability. Rated high severity
A Stack-based Buffer Overflow Vulnerability in Autodesk 3ds Max 2022, 2021, and 2020 may lead to code execution through
Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may b
A maliciously crafted TIF file in Autodesk 3ds Max 2022 and 2021 can be used to write beyond the allocated buffer while
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today