CVE-2026-0659 - Vulnerability Details

- USD File Parsing Out-of-Bounds Write Vulnerability

Description

A maliciously crafted USD file, when loaded or imported into Autodesk Arnold or Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

Published: 2026-02-04

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Autodesk can load USD files in its 3ds Max and Arnold products, and a specially crafted file triggers an out‑of‑bounds write that can be abused to execute arbitrary code in the process’s context. The vulnerability is a classic out‑of‑bounds write (CWE‑787) that provides the attacker with full control over the execution flow of a vulnerable instance. It does not require any network connectivity; the malicious USD file must be processed locally during import or loading.

Affected Systems

The affected software is Autodesk 3ds Max 2026.2, Autodesk Arnold 7.4.4.2, and USD for Arnold 7.4.4.1. These versions are listed in the CPE data. Any user who can load a USD file into one of these applications on a system where these versions are installed is susceptible.

Risk and Exploitability

The CVSS score of 7.8 reflects a high impact when the vulnerability is successfully triggered. The EPSS score of less than 1% indicates that, as of the last measurement, exploitation is unlikely to be widespread, but it is still possible, especially within specialized production environments where USD files are manipulated. The vulnerability is not currently in the CISA KEV catalog. Because the attack only requires a user to import a file, the primary attack vector is local, though a compromised user or remotely controlled file import scenario could also be used. Once the out‑of‑bounds write occurs, an attacker can run arbitrary code with the privileges of the application process, potentially leading to system compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Autodesk

USD for Arnold

unaffected

Version	Status	Constraints
`7.4.4.1`	affected	< 7.4.4.2

Autodesk

Arnold

unaffected

Version	Status	Constraints
`7.4.4.1`	affected	< 7.4.4.2

Autodesk

3ds Max

unaffected

Version	Status	Constraints
`2026.2`	affected	< 2026.3.2

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Autodesk 3ds Max, Arnold, and USD for Arnold to a version that includes the fix as noted in the official advisory.
Configure the applications or the operating environment to refuse loading USD files from untrusted directories or sources, and enable file integrity checks or code signing for imported assets.
Apply application whitelisting or sandboxing policies to limit the potential impact of an exploited file, ensuring that any code executed from an untrusted USD file runs with minimal privileges.

Generated by OpenCVE AI on April 18, 2026 at 13:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0001.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/Autodesk/arnold-usd
https://www.autodesk.com/products/autodesk-access/overview
https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0003

History

Wed, 04 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 04 Feb 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		A maliciously crafted USD file, when loaded or imported into Autodesk Arnold or Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Title		USD File Parsing Out-of-Bounds Write Vulnerability
First Time appeared		Autodesk Autodesk 3ds Max Autodesk arnold Autodesk usd For Arnold
Weaknesses		CWE-787
CPEs		cpe:2.3:a:autodesk:3ds_max:2026.2:::::::* cpe:2.3:a:autodesk:arnold:7.4.4.2:::::::* cpe:2.3:a:autodesk:usd_for_arnold:arnold_usd_7.4.4.1:::::::*
Vendors & Products		Autodesk Autodesk 3ds Max Autodesk arnold Autodesk usd For Arnold
References		https://github.com/Autodesk/arnold-usd https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0003
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Autodesk 3ds Max Arnold Usd For Arnold

MITRE

Status: PUBLISHED

Assigner: autodesk

Published: 2026-02-04T16:01:27.307Z

Updated: 2026-02-26T15:04:20.838Z

Reserved: 2026-01-06T19:58:21.363Z

Link: CVE-2026-0659

Vulnrichment

Updated: 2026-02-04T16:38:35.606Z

NVD

Status : Deferred

Published: 2026-02-04T17:16:12.623

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0659

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T14:00:02Z

Weaknesses

CWE-787

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object