Skip to main content

Autodesk 3ds Max EUVDEUVD-2026-31914

| CVE-2026-7453 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-05-26 autodesk GHSA-jxh4-3xvg-j3fm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 12:49 vuln.today
CVSS changed
Jun 03, 2026 - 14:22 NVD
5.3 (MEDIUM) 5.5 (MEDIUM)

DescriptionCVE.org

A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can cause a Stack Exhaustion vulnerability, leading to a denial-of-service condition.

AnalysisAI

Stack exhaustion in Autodesk 3ds Max 2026 and 2027 can be triggered by opening a maliciously crafted WRL (VRML) file, causing an application crash and denial-of-service condition for the affected user. Exploitation requires local access and deliberate user interaction - a victim must be socially engineered into opening the weaponized file. No active exploitation is identified; EPSS sits at 0.00% and SSVC exploitation status is confirmed none, placing real-world risk well below what the moderate CVSS score of 5.5 might initially suggest.

Technical ContextAI

WRL files use the VRML (Virtual Reality Modeling Language) format, a structured 3D scene description language supported in 3ds Max as an import format. CWE-674 (Uncontrolled Recursion) identifies the root cause: the WRL parser fails to enforce a maximum recursion depth when traversing deeply nested or self-referencing node structures within the file, causing the call stack to grow unboundedly until it is exhausted. This is a classic parser-level vulnerability where input is not validated for structural depth before recursive descent begins. The CPE identifier cpe:2.3:a:autodesk:3ds_max:*:*:*:*:*:*:*:* applies across all platform builds of 3ds Max, and ENISA EUVD data (EUVD-2026-31914) narrows the scope to the 2026 and 2027 release trains specifically. The vulnerability is entirely within the file-parsing subsystem and carries no network-facing attack surface.

RemediationAI

Upgrade to Autodesk 3ds Max 2026.1 or 2027.1, which contain the vendor-released patch per Autodesk Security Advisory ADSK-SA-2026-0006 (https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0006). Updates can be obtained through the Autodesk Access utility at https://www.autodesk.com/products/autodesk-access/overview. For organizations unable to patch immediately, a practical compensating control is to instruct users not to open WRL files from untrusted or unverified sources, as the exploit path is entirely dependent on user-initiated file opening. If 3ds Max application settings allow disabling or restricting the VRML/WRL import feature, doing so would eliminate the attack surface at the cost of removing that import capability from legitimate workflows. No additional network-layer controls are applicable given the local-only attack vector.

CVE-2026-0538 HIGH
8.4 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted GIF file, triggeri

CVE-2026-0661 HIGH
8.4 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, re

CVE-2026-0537 HIGH
8.4 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, tr

CVE-2026-0660 HIGH
8.4 Feb 04

Stack-based buffer overflow in Autodesk 3ds Max enables arbitrary code execution when the application parses a malicious

CVE-2026-7454 HIGH
7.8 May 26

Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL

CVE-2026-0662 HIGH
7.8 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when users open max files from maliciously crafted project directori

CVE-2026-7452 HIGH
7.8 May 26

Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a malicious

CVE-2026-7451 HIGH
7.8 May 26

Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously c

CVE-2026-0536 HIGH
7.8 Feb 04

Autodesk 3ds Max is vulnerable to arbitrary code execution when processing maliciously crafted GIF files due to a stack-

CVE-2023-25002 HIGH
7.8 Jun 27

A maliciously crafted SKP file in Autodesk products is used to trigger use-after-free vulnerability. Rated high severity

CVE-2022-25793 HIGH
7.8 Aug 10

A Stack-based Buffer Overflow Vulnerability in Autodesk 3ds Max 2022, 2021, and 2020 may lead to code execution through

CVE-2022-27871 HIGH
7.8 Jun 21

Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may b

Share

EUVD-2026-31914 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy