Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
AnalysisAI
Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a maliciously crafted WRL (VRML) file, triggering a memory corruption (buffer overflow) condition that runs attacker code in the context of the 3ds Max process. The flaw was reported by Autodesk itself and carries a CVSS 7.8 (local, user-interaction required); no public exploit has been identified and EPSS is 0.01%, indicating no observed exploitation activity to date. SSVC rates technical impact as total but exploitation as none and not automatable, consistent with a file-format parser bug requiring social engineering.
Technical ContextAI
3ds Max is a Windows-based 3D modeling and animation suite that imports a wide range of legacy and interchange formats, including WRL (VRML 2.0 / Virtual Reality Modeling Language) scene files. The vulnerability resides in the WRL parser, which fails to safely bound user-controlled data while reading the file - the root cause class CWE-120 (Classic Buffer Overflow / 'Buffer Copy without Checking Size of Input') indicates that attacker-controlled length or content from the WRL stream is copied into a fixed-size buffer, corrupting adjacent memory. Because parsing happens in-process, successful corruption yields control flow hijack in the 3ds Max process, which typically runs at the interactive user's privilege level on Windows workstations (cpe:2.3:a:autodesk:3ds_max).
RemediationAI
Vendor-released patches are available: upgrade Autodesk 3ds Max 2026 to 2026.1 or later, and Autodesk 3ds Max 2027 to 2027.1 or later, delivered via Autodesk Access (https://www.autodesk.com/products/autodesk-access/overview) as referenced in advisory ADSK-SA-2026-0006 (https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0006). Until patching is completed, compensating controls include refusing to open WRL/VRML files from untrusted or unverified sources, stripping or blocking .wrl attachments at the email gateway, and disallowing WRL imports in shared asset pipelines - the trade-off is loss of legitimate VRML interchange, which is uncommon in modern workflows. Running 3ds Max as a standard (non-administrative) user limits post-exploitation blast radius but does not prevent code execution in the user's session, and opening suspect files inside a disposable VM or sandboxed workstation isolates impact at the cost of workflow friction.
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted GIF file, triggeri
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, re
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, tr
Stack-based buffer overflow in Autodesk 3ds Max enables arbitrary code execution when the application parses a malicious
Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL
Arbitrary code execution in Autodesk 3ds Max occurs when users open max files from maliciously crafted project directori
Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously c
Autodesk 3ds Max is vulnerable to arbitrary code execution when processing maliciously crafted GIF files due to a stack-
A maliciously crafted SKP file in Autodesk products is used to trigger use-after-free vulnerability. Rated high severity
A Stack-based Buffer Overflow Vulnerability in Autodesk 3ds Max 2022, 2021, and 2020 may lead to code execution through
Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may b
A maliciously crafted TIF file in Autodesk 3ds Max 2022 and 2021 can be used to write beyond the allocated buffer while
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31911
GHSA-86fj-8658-phwx