Description
A maliciously crafted CATPART file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.
Published: 2026-02-18
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

A specially crafted CATPART file triggers an out‑of‑bounds write in several Autodesk applications, including 3ds Max, AutoCAD families, and Revit. The flaw can cause the application to crash or corrupt data, and in the worst case it enables execution of arbitrary code in the context of the running process. The vulnerability is classified as a memory corruption weakness (CWE‑787).

Affected Systems

Affected products include Autodesk 3ds Max 2026, Autodesk Advance Steel 2026, multiple AutoCAD variants (AutoCAD, Architecture, Electrical, Map 3D, Mechanical, MEP, Plant 3D) 2026, Autodesk Civil 3D 2026, Autodesk Infraworks 2026, Autodesk Inventor 2026, Autodesk Revit 2026 and Revit LT 2026, Autodesk Shared Components (2026 and 2026.5), and Autodesk Vault 2026.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity risk, yet the EPSS probability is less than one percent, suggesting that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector likely involves a malicious user opening a corrupted CATPART file within an authenticated, local session, which would allow the attacker to gain code execution on the machine that hosts the application. No known exploitation beyond crashes and data corruption is documented, but the potential for arbitrary code execution makes the flaw critical if exploited.

Generated by OpenCVE AI on April 17, 2026 at 18:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Autodesk product updates that address the CATPART parsing vulnerability.
  • Restrict or monitor the handling of CATPART files, ensuring that only trusted and validated files are opened.
  • Employ application sandboxing or use separate, least‑privileged processes for running affected Autodesk software.

Generated by OpenCVE AI on April 17, 2026 at 18:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Autodesk 3ds Max
Autodesk advance Steel
Autodesk autocad
Autodesk autocad Architecture
Autodesk autocad Electrical
Autodesk autocad Map 3d
Autodesk autocad Mechanical
Autodesk autocad Mep
Autodesk autocad Plant 3d
Autodesk civil 3d
Autodesk infraworks
Autodesk inventor
Autodesk revit
Autodesk revit Lt
Autodesk vault
CPEs cpe:2.3:a:autodesk:3ds_max:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:advance_steel:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:autocad:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:autocad_architecture:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:autocad_electrical:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:autocad_map_3d:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:autocad_mechanical:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:autocad_mep:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:autocad_plant_3d:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:civil_3d:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:infraworks:2026:-:*:*:*:*:*:*
cpe:2.3:a:autodesk:inventor:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:revit:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:revit_lt:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:shared_components:*:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:vault:2026:*:*:*:*:*:*:*
Vendors & Products Autodesk 3ds Max
Autodesk advance Steel
Autodesk autocad
Autodesk autocad Architecture
Autodesk autocad Electrical
Autodesk autocad Map 3d
Autodesk autocad Mechanical
Autodesk autocad Mep
Autodesk autocad Plant 3d
Autodesk civil 3d
Autodesk infraworks
Autodesk inventor
Autodesk revit
Autodesk revit Lt
Autodesk vault

Wed, 18 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description A maliciously crafted CATPART file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.
Title CATPART File Parsing Out-of-Bounds Write
First Time appeared Autodesk
Autodesk shared Components
Weaknesses CWE-787
CPEs cpe:2.3:a:autodesk:shared_components:2026.5:*:*:*:*:*:*:*
Vendors & Products Autodesk
Autodesk shared Components
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Autodesk 3ds Max Advance Steel Autocad Autocad Architecture Autocad Electrical Autocad Map 3d Autocad Mechanical Autocad Mep Autocad Plant 3d Civil 3d Infraworks Inventor Revit Revit Lt Shared Components Vault
cve-icon MITRE

Status: PUBLISHED

Assigner: autodesk

Published:

Updated: 2026-02-26T14:44:15.903Z

Reserved: 2026-01-13T12:36:42.762Z

Link: CVE-2026-0874

cve-icon Vulnrichment

Updated: 2026-02-18T20:11:25.701Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T20:18:32.193

Modified: 2026-02-20T15:09:23.400

Link: CVE-2026-0874

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:45:25Z

Weaknesses