Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
A maliciously crafted PAR file, when parsed through Autodesk 3ds Max, can force a NULL Pointer Dereference vulnerability. Successful exploitation may cause the application to crash, leading to a denial-of-service condition.
AnalysisAI
NULL Pointer Dereference in Autodesk 3ds Max's PAR file parser allows a local attacker to crash the application by convincing a user to open a specially crafted PAR file, resulting in a denial-of-service condition. Affected versions span both the 2026 (prior to 2026.1) and 2027 (prior to 2027.1) release lines. No active exploitation has been identified - EPSS is 0.00% (0th percentile), SSVC exploitation status is 'none', and the vulnerability is not listed in CISA KEV - placing this squarely in a low-urgency, patch-and-monitor posture.
Technical ContextAI
PAR files are Particle system Archive files used by Autodesk 3ds Max (CPE: cpe:2.3:a:autodesk:3ds_max:*:*:*:*:*:*:*:*) to store and transfer particle system data. The root cause is CWE-476 (NULL Pointer Dereference): during parsing of a malformed PAR file, the application dereferences a pointer that was never properly initialized or validated, causing an access violation. The CVSS vector AV:L/AC:L/PR:N/UI:R/S:U confirms this is a client-side file-parsing vulnerability - the attack is local, requires no attacker privileges, demands that the victim open the malicious file, and has no scope change. Impact is limited entirely to availability (A:H), with no confidentiality or integrity effects, consistent with a pure crash/DoS class defect.
RemediationAI
The primary fix is to upgrade to Autodesk 3ds Max 2026.1 or 3ds Max 2027.1, which are the patched releases confirmed by EUVD-2026-31909. Autodesk's official advisory at https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0006 should be consulted for patch delivery details; updates are available through the Autodesk Access tool referenced at https://www.autodesk.com/products/autodesk-access/overview. As a compensating control for organizations unable to patch immediately, instruct users not to open PAR files received from untrusted or unverified sources, and consider implementing file-type filtering at email and web gateways to quarantine unexpected PAR attachments for manual review - note this approach does not prevent exploitation through other delivery channels such as shared drives or USB media.
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted GIF file, triggeri
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, re
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, tr
Stack-based buffer overflow in Autodesk 3ds Max enables arbitrary code execution when the application parses a malicious
Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL
Arbitrary code execution in Autodesk 3ds Max occurs when users open max files from maliciously crafted project directori
Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a malicious
Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously c
Autodesk 3ds Max is vulnerable to arbitrary code execution when processing maliciously crafted GIF files due to a stack-
A maliciously crafted SKP file in Autodesk products is used to trigger use-after-free vulnerability. Rated high severity
A Stack-based Buffer Overflow Vulnerability in Autodesk 3ds Max 2022, 2021, and 2020 may lead to code execution through
Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may b
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31909
GHSA-wg67-8wgj-6fhq