Skip to main content

Autodesk 3ds Max CVE-2026-7452

| EUVDEUVD-2026-31911 HIGH
Classic Buffer Overflow (CWE-120)
2026-05-26 autodesk GHSA-86fj-8658-phwx
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 09:01 vuln.today

DescriptionCVE.org

A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

AnalysisAI

Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a maliciously crafted WRL (VRML) file, triggering a memory corruption (buffer overflow) condition that runs attacker code in the context of the 3ds Max process. The flaw was reported by Autodesk itself and carries a CVSS 7.8 (local, user-interaction required); no public exploit has been identified and EPSS is 0.01%, indicating no observed exploitation activity to date. SSVC rates technical impact as total but exploitation as none and not automatable, consistent with a file-format parser bug requiring social engineering.

Technical ContextAI

3ds Max is a Windows-based 3D modeling and animation suite that imports a wide range of legacy and interchange formats, including WRL (VRML 2.0 / Virtual Reality Modeling Language) scene files. The vulnerability resides in the WRL parser, which fails to safely bound user-controlled data while reading the file - the root cause class CWE-120 (Classic Buffer Overflow / 'Buffer Copy without Checking Size of Input') indicates that attacker-controlled length or content from the WRL stream is copied into a fixed-size buffer, corrupting adjacent memory. Because parsing happens in-process, successful corruption yields control flow hijack in the 3ds Max process, which typically runs at the interactive user's privilege level on Windows workstations (cpe:2.3:a:autodesk:3ds_max).

RemediationAI

Vendor-released patches are available: upgrade Autodesk 3ds Max 2026 to 2026.1 or later, and Autodesk 3ds Max 2027 to 2027.1 or later, delivered via Autodesk Access (https://www.autodesk.com/products/autodesk-access/overview) as referenced in advisory ADSK-SA-2026-0006 (https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0006). Until patching is completed, compensating controls include refusing to open WRL/VRML files from untrusted or unverified sources, stripping or blocking .wrl attachments at the email gateway, and disallowing WRL imports in shared asset pipelines - the trade-off is loss of legitimate VRML interchange, which is uncommon in modern workflows. Running 3ds Max as a standard (non-administrative) user limits post-exploitation blast radius but does not prevent code execution in the user's session, and opening suspect files inside a disposable VM or sandboxed workstation isolates impact at the cost of workflow friction.

CVE-2026-0538 HIGH
8.4 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted GIF file, triggeri

CVE-2026-0661 HIGH
8.4 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, re

CVE-2026-0537 HIGH
8.4 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, tr

CVE-2026-0660 HIGH
8.4 Feb 04

Stack-based buffer overflow in Autodesk 3ds Max enables arbitrary code execution when the application parses a malicious

CVE-2026-7454 HIGH
7.8 May 26

Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL

CVE-2026-0662 HIGH
7.8 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when users open max files from maliciously crafted project directori

CVE-2026-7451 HIGH
7.8 May 26

Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously c

CVE-2026-0536 HIGH
7.8 Feb 04

Autodesk 3ds Max is vulnerable to arbitrary code execution when processing maliciously crafted GIF files due to a stack-

CVE-2023-25002 HIGH
7.8 Jun 27

A maliciously crafted SKP file in Autodesk products is used to trigger use-after-free vulnerability. Rated high severity

CVE-2022-25793 HIGH
7.8 Aug 10

A Stack-based Buffer Overflow Vulnerability in Autodesk 3ds Max 2022, 2021, and 2020 may lead to code execution through

CVE-2022-27871 HIGH
7.8 Jun 21

Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may b

CVE-2022-27532 HIGH
7.8 Jun 16

A maliciously crafted TIF file in Autodesk 3ds Max 2022 and 2021 can be used to write beyond the allocated buffer while

Share

CVE-2026-7452 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy