Skip to main content

3ds Max

21 CVEs product

Monthly

CVE-2026-7454 HIGH PATCH This Week

Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL (VRML) file, leading to memory corruption that runs attacker-controlled code in the context of the current user. The flaw requires user interaction to open a malicious file and has no public exploit identified at time of analysis, with EPSS estimating only a 0.01% exploitation probability over the next 30 days. SSVC rates technical impact as total but classifies exploitation as 'none' and not automatable, consistent with a client-side file-format attack rather than a wormable internet-facing flaw.

Buffer Overflow RCE 3ds Max
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7453 MEDIUM PATCH This Month

Stack exhaustion in Autodesk 3ds Max 2026 and 2027 can be triggered by opening a maliciously crafted WRL (VRML) file, causing an application crash and denial-of-service condition for the affected user. Exploitation requires local access and deliberate user interaction - a victim must be socially engineered into opening the weaponized file. No active exploitation is identified; EPSS sits at 0.00% and SSVC exploitation status is confirmed none, placing real-world risk well below what the moderate CVSS score of 5.5 might initially suggest.

Information Disclosure 3ds Max
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-7452 HIGH PATCH This Week

Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a maliciously crafted WRL (VRML) file, triggering a memory corruption (buffer overflow) condition that runs attacker code in the context of the 3ds Max process. The flaw was reported by Autodesk itself and carries a CVSS 7.8 (local, user-interaction required); no public exploit has been identified and EPSS is 0.01%, indicating no observed exploitation activity to date. SSVC rates technical impact as total but exploitation as none and not automatable, consistent with a file-format parser bug requiring social engineering.

Buffer Overflow RCE 3ds Max
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7451 HIGH PATCH This Week

Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously crafted TIF image file, with impact ranging from process crash to data corruption to code execution in the context of the running application. The flaw requires local file handling and user interaction (UI:R), and there is no public exploit identified at time of analysis. EPSS is negligible (0.01%) and SSVC marks exploitation status as none, but the technical impact is rated total, making this a credible client-side risk for design and VFX workstations.

Memory Corruption Buffer Overflow RCE 3ds Max
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7450 MEDIUM PATCH This Month

NULL Pointer Dereference in Autodesk 3ds Max's PAR file parser allows a local attacker to crash the application by convincing a user to open a specially crafted PAR file, resulting in a denial-of-service condition. Affected versions span both the 2026 (prior to 2026.1) and 2027 (prior to 2027.1) release lines. No active exploitation has been identified - EPSS is 0.00% (0th percentile), SSVC exploitation status is 'none', and the vulnerability is not listed in CISA KEV - placing this squarely in a low-urgency, patch-and-monitor posture.

Denial Of Service Null Pointer Dereference 3ds Max
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-0536 HIGH This Week

Autodesk 3ds Max is vulnerable to arbitrary code execution when processing maliciously crafted GIF files due to a stack-based buffer overflow (CVE-2026-0536, CVSS 7.8). Local attackers can exploit this vulnerability by tricking users into opening a malicious GIF file to execute code with the privileges of the 3ds Max process. No patch is currently available.

Buffer Overflow Stack Overflow 3ds Max
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-0662 HIGH This Week

Arbitrary code execution in Autodesk 3ds Max occurs when users open max files from maliciously crafted project directories that exploit an untrusted search path vulnerability. Local attackers can leverage this to execute arbitrary code with the privileges of the current user without requiring special permissions or interaction beyond opening a file. No patch is currently available for this high-severity vulnerability affecting 3ds Max users.

Privilege Escalation RCE 3ds Max
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-0661 HIGH This Week

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, resulting in a CWE-787 out-of-bounds write that corrupts memory and lets an attacker run code in the context of the user running 3ds Max. No public exploit identified at time of analysis, and the EPSS probability is only 0.01%, but the CVSS base score of 8.4 reflects the high impact when a victim is convinced to open a weaponized asset file.

Memory Corruption Buffer Overflow RCE 3ds Max
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0660 HIGH This Week

Stack-based buffer overflow in Autodesk 3ds Max enables arbitrary code execution when the application parses a maliciously crafted GIF file, running attacker code in the context of the current user process. The flaw carries a CVSS 8.4 (High) rating due to local attack vector but full confidentiality, integrity, and availability impact, with no public exploit identified at time of analysis and a very low EPSS probability (0.01%) reflecting the file-open user-interaction model typical of DCC software.

Buffer Overflow Stack Overflow RCE 3ds Max
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0538 HIGH This Week

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted GIF file, triggering an out-of-bounds write (CWE-787) in its image-handling code. The flaw lets an attacker run code in the context of the user running 3ds Max; no public exploit identified at time of analysis and EPSS estimates exploitation probability at just 0.03%.

Buffer Overflow RCE Memory Corruption 3ds Max
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0537 HIGH This Week

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, triggering an out-of-bounds write (CWE-787) that corrupts memory in the running process. Exploitation requires a victim to open the malicious file locally, but no public exploit has been identified at time of analysis and EPSS rates real-world exploitation likelihood at just 0.01%. The flaw was reported by Autodesk PSIRT and is tracked under advisory ADSK-SA-2026-0002.

Memory Corruption Buffer Overflow RCE 3ds Max
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-11797 HIGH This Month

A maliciously crafted DWG file, when parsed through Autodesk 3ds Max, can force a Use-After-Free vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Information Disclosure RCE Use After Free 3ds Max
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-11795 HIGH This Month

A maliciously crafted JPG file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow RCE 3ds Max
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-6634 HIGH This Month

A maliciously crafted TGA file, when linked or imported into Autodesk 3ds Max, can force a Memory Corruption vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE 3ds Max
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-6633 HIGH This Month

A maliciously crafted RBG file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow RCE 3ds Max
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-6632 MEDIUM This Month

A maliciously crafted PSD file, when linked or imported into Autodesk 3ds Max, can force an Out-of-Bounds Read vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Information Disclosure 3ds Max
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2023-25002 HIGH This Week

A maliciously crafted SKP file in Autodesk products is used to trigger use-after-free vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Use After Free RCE Memory Corruption 3ds Max Navisworks +2
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2022-25793 HIGH This Week

A Stack-based Buffer Overflow Vulnerability in Autodesk 3ds Max 2022, 2021, and 2020 may lead to code execution through the lack of proper validation of the length of user-supplied data prior to. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow 3ds Max
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2022-27871 HIGH This Week

Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may be used to write beyond the allocated buffer while parsing PDF files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service RCE 3ds Max Advance Steel Autocad +11
NVD
CVSS 3.1
7.8
EPSS
0.7%
CVE-2022-27532 HIGH This Week

A maliciously crafted TIF file in Autodesk 3ds Max 2022 and 2021 can be used to write beyond the allocated buffer while parsing TIF files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Buffer Overflow 3ds Max
NVD
CVSS 3.1
7.8
EPSS
1.0%
CVE-2022-27531 HIGH This Week

A maliciously crafted TIF file can be forced to read beyond allocated boundaries in Autodesk 3ds Max 2022, and 2021 when parsing the TIF files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow Information Disclosure 3ds Max
NVD
CVSS 3.1
7.8
EPSS
0.7%
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL (VRML) file, leading to memory corruption that runs attacker-controlled code in the context of the current user. The flaw requires user interaction to open a malicious file and has no public exploit identified at time of analysis, with EPSS estimating only a 0.01% exploitation probability over the next 30 days. SSVC rates technical impact as total but classifies exploitation as 'none' and not automatable, consistent with a client-side file-format attack rather than a wormable internet-facing flaw.

Buffer Overflow RCE 3ds Max
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stack exhaustion in Autodesk 3ds Max 2026 and 2027 can be triggered by opening a maliciously crafted WRL (VRML) file, causing an application crash and denial-of-service condition for the affected user. Exploitation requires local access and deliberate user interaction - a victim must be socially engineered into opening the weaponized file. No active exploitation is identified; EPSS sits at 0.00% and SSVC exploitation status is confirmed none, placing real-world risk well below what the moderate CVSS score of 5.5 might initially suggest.

Information Disclosure 3ds Max
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a maliciously crafted WRL (VRML) file, triggering a memory corruption (buffer overflow) condition that runs attacker code in the context of the 3ds Max process. The flaw was reported by Autodesk itself and carries a CVSS 7.8 (local, user-interaction required); no public exploit has been identified and EPSS is 0.01%, indicating no observed exploitation activity to date. SSVC rates technical impact as total but exploitation as none and not automatable, consistent with a file-format parser bug requiring social engineering.

Buffer Overflow RCE 3ds Max
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously crafted TIF image file, with impact ranging from process crash to data corruption to code execution in the context of the running application. The flaw requires local file handling and user interaction (UI:R), and there is no public exploit identified at time of analysis. EPSS is negligible (0.01%) and SSVC marks exploitation status as none, but the technical impact is rated total, making this a credible client-side risk for design and VFX workstations.

Memory Corruption Buffer Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL Pointer Dereference in Autodesk 3ds Max's PAR file parser allows a local attacker to crash the application by convincing a user to open a specially crafted PAR file, resulting in a denial-of-service condition. Affected versions span both the 2026 (prior to 2026.1) and 2027 (prior to 2027.1) release lines. No active exploitation has been identified - EPSS is 0.00% (0th percentile), SSVC exploitation status is 'none', and the vulnerability is not listed in CISA KEV - placing this squarely in a low-urgency, patch-and-monitor posture.

Denial Of Service Null Pointer Dereference 3ds Max
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Autodesk 3ds Max is vulnerable to arbitrary code execution when processing maliciously crafted GIF files due to a stack-based buffer overflow (CVE-2026-0536, CVSS 7.8). Local attackers can exploit this vulnerability by tricking users into opening a malicious GIF file to execute code with the privileges of the 3ds Max process. No patch is currently available.

Buffer Overflow Stack Overflow 3ds Max
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in Autodesk 3ds Max occurs when users open max files from maliciously crafted project directories that exploit an untrusted search path vulnerability. Local attackers can leverage this to execute arbitrary code with the privileges of the current user without requiring special permissions or interaction beyond opening a file. No patch is currently available for this high-severity vulnerability affecting 3ds Max users.

Privilege Escalation RCE 3ds Max
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, resulting in a CWE-787 out-of-bounds write that corrupts memory and lets an attacker run code in the context of the user running 3ds Max. No public exploit identified at time of analysis, and the EPSS probability is only 0.01%, but the CVSS base score of 8.4 reflects the high impact when a victim is convinced to open a weaponized asset file.

Memory Corruption Buffer Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Stack-based buffer overflow in Autodesk 3ds Max enables arbitrary code execution when the application parses a maliciously crafted GIF file, running attacker code in the context of the current user process. The flaw carries a CVSS 8.4 (High) rating due to local attack vector but full confidentiality, integrity, and availability impact, with no public exploit identified at time of analysis and a very low EPSS probability (0.01%) reflecting the file-open user-interaction model typical of DCC software.

Buffer Overflow Stack Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted GIF file, triggering an out-of-bounds write (CWE-787) in its image-handling code. The flaw lets an attacker run code in the context of the user running 3ds Max; no public exploit identified at time of analysis and EPSS estimates exploitation probability at just 0.03%.

Buffer Overflow RCE Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, triggering an out-of-bounds write (CWE-787) that corrupts memory in the running process. Exploitation requires a victim to open the malicious file locally, but no public exploit has been identified at time of analysis and EPSS rates real-world exploitation likelihood at just 0.01%. The flaw was reported by Autodesk PSIRT and is tracked under advisory ADSK-SA-2026-0002.

Memory Corruption Buffer Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Month

A maliciously crafted DWG file, when parsed through Autodesk 3ds Max, can force a Use-After-Free vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Information Disclosure RCE +2
NVD
EPSS 0% CVSS 7.8
HIGH This Month

A maliciously crafted JPG file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow RCE +1
NVD
EPSS 0% CVSS 7.8
HIGH This Month

A maliciously crafted TGA file, when linked or imported into Autodesk 3ds Max, can force a Memory Corruption vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE 3ds Max
NVD
EPSS 0% CVSS 7.8
HIGH This Month

A maliciously crafted RBG file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow RCE +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A maliciously crafted PSD file, when linked or imported into Autodesk 3ds Max, can force an Out-of-Bounds Read vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Information Disclosure +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

A maliciously crafted SKP file in Autodesk products is used to trigger use-after-free vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Use After Free RCE Memory Corruption +4
NVD
EPSS 0% CVSS 7.8
HIGH This Week

A Stack-based Buffer Overflow Vulnerability in Autodesk 3ds Max 2022, 2021, and 2020 may lead to code execution through the lack of proper validation of the length of user-supplied data prior to. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow 3ds Max
NVD
EPSS 1% CVSS 7.8
HIGH This Week

Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may be used to write beyond the allocated buffer while parsing PDF files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service RCE 3ds Max +13
NVD
EPSS 1% CVSS 7.8
HIGH This Week

A maliciously crafted TIF file in Autodesk 3ds Max 2022 and 2021 can be used to write beyond the allocated buffer while parsing TIF files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Buffer Overflow +1
NVD
EPSS 1% CVSS 7.8
HIGH This Week

A maliciously crafted TIF file can be forced to read beyond allocated boundaries in Autodesk 3ds Max 2022, and 2021 when parsing the TIF files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow Information Disclosure +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy