Skip to main content

Autodesk 3ds Max CVE-2026-0538

HIGH
Out-of-bounds Write (CWE-787)
2026-02-04 psirt@autodesk.com
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 03, 2026 - 14:34 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 03, 2026 - 14:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 03, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Jun 03, 2026 - 14:22 NVD
7.8 (HIGH) 8.4 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Feb 04, 2026 - 17:16 nvd
HIGH 7.8

DescriptionCVE.org

A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

AnalysisAI

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted GIF file, triggering an out-of-bounds write (CWE-787) in its image-handling code. The flaw lets an attacker run code in the context of the user running 3ds Max; no public exploit identified at time of analysis and EPSS estimates exploitation probability at just 0.03%.

Technical ContextAI

Autodesk 3ds Max is a Windows-based 3D modeling, animation, and rendering suite widely used in VFX, game development, and architectural visualization. The CPE cpe:2.3:a:autodesk:3ds_max:*:*:*:*:*:*:*:* indicates the entire product line is in scope pending vendor version clarification. The root cause is CWE-787 (Out-of-Bounds Write) inside the GIF parser - likely a miscalculation of buffer length when decoding LZW-compressed frames, color tables, or extension blocks - which corrupts adjacent heap or stack memory and, when shaped carefully, allows control of execution flow to achieve arbitrary code execution.

RemediationAI

Patch available per vendor advisory - apply the fixed 3ds Max build distributed through Autodesk Access as described in ADSK-SA-2026-0002 (https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002); confirm the exact patched version against the advisory because it is not enumerated in the NVD data. Until patching is complete, instruct artists and pipeline engineers not to open GIF files from untrusted sources or shared download folders inside 3ds Max, sanitize or convert externally-sourced texture/reference assets through an image-processing tool that re-encodes GIFs (which removes attacker-controlled byte patterns at the cost of a small preprocessing step in the asset pipeline), and consider running 3ds Max under a standard user account so that any successful exploitation is constrained to that user's context rather than administrative privileges.

CVE-2026-0661 HIGH
8.4 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, re

CVE-2026-0537 HIGH
8.4 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, tr

CVE-2026-0660 HIGH
8.4 Feb 04

Stack-based buffer overflow in Autodesk 3ds Max enables arbitrary code execution when the application parses a malicious

CVE-2026-7454 HIGH
7.8 May 26

Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL

CVE-2026-0662 HIGH
7.8 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when users open max files from maliciously crafted project directori

CVE-2026-7452 HIGH
7.8 May 26

Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a malicious

CVE-2026-7451 HIGH
7.8 May 26

Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously c

CVE-2026-0536 HIGH
7.8 Feb 04

Autodesk 3ds Max is vulnerable to arbitrary code execution when processing maliciously crafted GIF files due to a stack-

CVE-2023-25002 HIGH
7.8 Jun 27

A maliciously crafted SKP file in Autodesk products is used to trigger use-after-free vulnerability. Rated high severity

CVE-2022-25793 HIGH
7.8 Aug 10

A Stack-based Buffer Overflow Vulnerability in Autodesk 3ds Max 2022, 2021, and 2020 may lead to code execution through

CVE-2022-27871 HIGH
7.8 Jun 21

Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may b

CVE-2022-27532 HIGH
7.8 Jun 16

A maliciously crafted TIF file in Autodesk 3ds Max 2022 and 2021 can be used to write beyond the allocated buffer while

Share

CVE-2026-0538 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy