Skip to main content

Autodesk 3ds Max EUVDEUVD-2026-31909

| CVE-2026-7450 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-26 autodesk GHSA-wg67-8wgj-6fhq
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 12:49 vuln.today
CVSS changed
Jun 03, 2026 - 14:22 NVD
5.3 (MEDIUM) 5.5 (MEDIUM)

DescriptionCVE.org

A maliciously crafted PAR file, when parsed through Autodesk 3ds Max, can force a NULL Pointer Dereference vulnerability. Successful exploitation may cause the application to crash, leading to a denial-of-service condition.

AnalysisAI

NULL Pointer Dereference in Autodesk 3ds Max's PAR file parser allows a local attacker to crash the application by convincing a user to open a specially crafted PAR file, resulting in a denial-of-service condition. Affected versions span both the 2026 (prior to 2026.1) and 2027 (prior to 2027.1) release lines. No active exploitation has been identified - EPSS is 0.00% (0th percentile), SSVC exploitation status is 'none', and the vulnerability is not listed in CISA KEV - placing this squarely in a low-urgency, patch-and-monitor posture.

Technical ContextAI

PAR files are Particle system Archive files used by Autodesk 3ds Max (CPE: cpe:2.3:a:autodesk:3ds_max:*:*:*:*:*:*:*:*) to store and transfer particle system data. The root cause is CWE-476 (NULL Pointer Dereference): during parsing of a malformed PAR file, the application dereferences a pointer that was never properly initialized or validated, causing an access violation. The CVSS vector AV:L/AC:L/PR:N/UI:R/S:U confirms this is a client-side file-parsing vulnerability - the attack is local, requires no attacker privileges, demands that the victim open the malicious file, and has no scope change. Impact is limited entirely to availability (A:H), with no confidentiality or integrity effects, consistent with a pure crash/DoS class defect.

RemediationAI

The primary fix is to upgrade to Autodesk 3ds Max 2026.1 or 3ds Max 2027.1, which are the patched releases confirmed by EUVD-2026-31909. Autodesk's official advisory at https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0006 should be consulted for patch delivery details; updates are available through the Autodesk Access tool referenced at https://www.autodesk.com/products/autodesk-access/overview. As a compensating control for organizations unable to patch immediately, instruct users not to open PAR files received from untrusted or unverified sources, and consider implementing file-type filtering at email and web gateways to quarantine unexpected PAR attachments for manual review - note this approach does not prevent exploitation through other delivery channels such as shared drives or USB media.

CVE-2026-0538 HIGH
8.4 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted GIF file, triggeri

CVE-2026-0661 HIGH
8.4 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, re

CVE-2026-0537 HIGH
8.4 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, tr

CVE-2026-0660 HIGH
8.4 Feb 04

Stack-based buffer overflow in Autodesk 3ds Max enables arbitrary code execution when the application parses a malicious

CVE-2026-7454 HIGH
7.8 May 26

Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL

CVE-2026-0662 HIGH
7.8 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when users open max files from maliciously crafted project directori

CVE-2026-7452 HIGH
7.8 May 26

Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a malicious

CVE-2026-7451 HIGH
7.8 May 26

Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously c

CVE-2026-0536 HIGH
7.8 Feb 04

Autodesk 3ds Max is vulnerable to arbitrary code execution when processing maliciously crafted GIF files due to a stack-

CVE-2023-25002 HIGH
7.8 Jun 27

A maliciously crafted SKP file in Autodesk products is used to trigger use-after-free vulnerability. Rated high severity

CVE-2022-25793 HIGH
7.8 Aug 10

A Stack-based Buffer Overflow Vulnerability in Autodesk 3ds Max 2022, 2021, and 2020 may lead to code execution through

CVE-2022-27871 HIGH
7.8 Jun 21

Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may b

Share

EUVD-2026-31909 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy