Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can cause a Stack Exhaustion vulnerability, leading to a denial-of-service condition.
AnalysisAI
Stack exhaustion in Autodesk 3ds Max 2026 and 2027 can be triggered by opening a maliciously crafted WRL (VRML) file, causing an application crash and denial-of-service condition for the affected user. Exploitation requires local access and deliberate user interaction - a victim must be socially engineered into opening the weaponized file. No active exploitation is identified; EPSS sits at 0.00% and SSVC exploitation status is confirmed none, placing real-world risk well below what the moderate CVSS score of 5.5 might initially suggest.
Technical ContextAI
WRL files use the VRML (Virtual Reality Modeling Language) format, a structured 3D scene description language supported in 3ds Max as an import format. CWE-674 (Uncontrolled Recursion) identifies the root cause: the WRL parser fails to enforce a maximum recursion depth when traversing deeply nested or self-referencing node structures within the file, causing the call stack to grow unboundedly until it is exhausted. This is a classic parser-level vulnerability where input is not validated for structural depth before recursive descent begins. The CPE identifier cpe:2.3:a:autodesk:3ds_max:*:*:*:*:*:*:*:* applies across all platform builds of 3ds Max, and ENISA EUVD data (EUVD-2026-31914) narrows the scope to the 2026 and 2027 release trains specifically. The vulnerability is entirely within the file-parsing subsystem and carries no network-facing attack surface.
RemediationAI
Upgrade to Autodesk 3ds Max 2026.1 or 2027.1, which contain the vendor-released patch per Autodesk Security Advisory ADSK-SA-2026-0006 (https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0006). Updates can be obtained through the Autodesk Access utility at https://www.autodesk.com/products/autodesk-access/overview. For organizations unable to patch immediately, a practical compensating control is to instruct users not to open WRL files from untrusted or unverified sources, as the exploit path is entirely dependent on user-initiated file opening. If 3ds Max application settings allow disabling or restricting the VRML/WRL import feature, doing so would eliminate the attack surface at the cost of removing that import capability from legitimate workflows. No additional network-layer controls are applicable given the local-only attack vector.
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted GIF file, triggeri
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, re
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, tr
Stack-based buffer overflow in Autodesk 3ds Max enables arbitrary code execution when the application parses a malicious
Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL
Arbitrary code execution in Autodesk 3ds Max occurs when users open max files from maliciously crafted project directori
Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a malicious
Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously c
Autodesk 3ds Max is vulnerable to arbitrary code execution when processing maliciously crafted GIF files due to a stack-
A maliciously crafted SKP file in Autodesk products is used to trigger use-after-free vulnerability. Rated high severity
A Stack-based Buffer Overflow Vulnerability in Autodesk 3ds Max 2022, 2021, and 2020 may lead to code execution through
Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may b
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31914
GHSA-jxh4-3xvg-j3fm