Description
A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Published: 2026-02-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Patch ASAP
AI Analysis

Impact

A maliciously crafted GIF file can trigger an out‑of‑bounds write when parsed in Autodesk 3ds Max. The vulnerability, identified as CWE‑787, permits an attacker to overwrite memory outside the intended bounds and ultimately execute arbitrary code within the context of the running 3ds Max process. This can compromise confidentiality, integrity, and availability of the system where the application is running.

Affected Systems

The issue affects Autodesk 3ds Max. No specific version range is listed, so all current installations that have not been updated beyond the latest release are potentially vulnerable. The affected system is the 3ds Max application itself, as noted by Autodesk in its advisory.

Risk and Exploitability

The CVSS base score of 7.8 classifies the vulnerability as high severity. The EPSS score of <1% indicates that the likelihood of exploitation is low at present, and the vulnerability is not yet listed in the CISA KEV catalog. However, exploitation is still possible if an attacker gains access to a system that stores or opens untrusted GIF files. The attack vector is most likely local; an attacker could supply a malicious GIF through a file upload or import operation, causing the vulnerable code to write out of bounds and run arbitrary code within the application’s process.

Generated by OpenCVE AI on April 17, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the current 3ds Max version against the Autodesk security advisory and apply the available patch when it is released
  • If a patch is not yet available, restrict the import or opening of GIF files to trusted sources or use a file verification step before processing
  • Implement a least‑privilege execution environment for 3ds Max, such as running it under a dedicated, non‑administrator user account

Generated by OpenCVE AI on April 17, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:autodesk:3ds_max:*:*:*:*:*:*:*:*

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Title GIF File Parsing Out-of-Bounds Write
First Time appeared Autodesk
Autodesk 3ds Max
Weaknesses CWE-787
CPEs cpe:2.3:a:autodesk:3ds_max:2026:*:*:*:*:*:*:*
Vendors & Products Autodesk
Autodesk 3ds Max
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Autodesk 3ds Max
cve-icon MITRE

Status: PUBLISHED

Assigner: autodesk

Published:

Updated: 2026-02-26T15:04:20.268Z

Reserved: 2025-12-23T07:18:10.337Z

Link: CVE-2026-0538

cve-icon Vulnrichment

Updated: 2026-02-04T16:35:36.529Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T17:16:12.403

Modified: 2026-02-06T17:49:06.210

Link: CVE-2026-0538

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses