Description
A maliciously crafted MODEL file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.
Published: 2026-02-18
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-Bounds Write potentially leading to arbitrary code execution
Action: Patch Immediately
AI Analysis

Impact

A maliciously crafted MODEL file can trigger an out-of-bounds write when parsed by Autodesk products. This bug can corrupt memory, cause the application to crash, or allow an attacker to execute arbitrary code in the context of the current process. The vulnerability is a classic buffer overflow identified as CWE-787. It directly compromises the confidentiality, integrity, or availability of the application.

Affected Systems

The affected products are all Autodesk applications released in the 2026 cycle, including 3ds Max 2026, Advance Steel 2026, AutoCad 2026 variants (Architecture, Electrical, Map 3D, Mechanical, MEP, Plant 3D), Civil 3D 2026, Infraworks 2026, Inventor 2026, Revit 2026, Revit LT 2026, and Vault 2026. The Shared Components package is also impacted, with versions up to 2026.5. Users of any of these 2026 releases should review the advisory to verify whether they are running a vulnerable build.

Risk and Exploitability

The CVSS score is 7.8, indicating high severity, but the EPSS score is less than 1%, so exploitation likelihood is currently low. The bug is not listed as a known exploited vulnerability in the CISA KEV catalog. Based on the description, it is inferred that the attack vector requires a user to open or import the crafted MODEL file locally. An attacker would need to supply the file to the victim’s machine, making remote exploitation difficult without a lateral move or social engineering. Once triggered, the out-of-bounds write could lead to program crash, data corruption, or code execution if the attacker can control the memory content.

Generated by OpenCVE AI on April 17, 2026 at 18:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Autodesk patch for all affected 2026 products and the Shared Components package
  • If a patch is unavailable, disable or block MODEL file parsing for non‑trusted sources to prevent the vulnerability from being triggered
  • Configure file integrity checks or digital signatures on MODEL files to ensure only authentic files are processed

Generated by OpenCVE AI on April 17, 2026 at 18:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Autodesk 3ds Max
Autodesk advance Steel
Autodesk autocad
Autodesk autocad Architecture
Autodesk autocad Electrical
Autodesk autocad Map 3d
Autodesk autocad Mechanical
Autodesk autocad Mep
Autodesk autocad Plant 3d
Autodesk civil 3d
Autodesk infraworks
Autodesk inventor
Autodesk revit
Autodesk revit Lt
Autodesk vault
CPEs cpe:2.3:a:autodesk:3ds_max:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:advance_steel:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:autocad:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:autocad_architecture:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:autocad_electrical:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:autocad_map_3d:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:autocad_mechanical:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:autocad_mep:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:autocad_plant_3d:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:civil_3d:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:infraworks:2026:-:*:*:*:*:*:*
cpe:2.3:a:autodesk:inventor:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:revit:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:revit_lt:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:shared_components:*:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:vault:2026:*:*:*:*:*:*:*
Vendors & Products Autodesk 3ds Max
Autodesk advance Steel
Autodesk autocad
Autodesk autocad Architecture
Autodesk autocad Electrical
Autodesk autocad Map 3d
Autodesk autocad Mechanical
Autodesk autocad Mep
Autodesk autocad Plant 3d
Autodesk civil 3d
Autodesk infraworks
Autodesk inventor
Autodesk revit
Autodesk revit Lt
Autodesk vault

Wed, 18 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description A maliciously crafted MODEL file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.
Title MODEL File Parsing Out-of-Bounds Write
First Time appeared Autodesk
Autodesk shared Components
Weaknesses CWE-787
CPEs cpe:2.3:a:autodesk:shared_components:2026.5:*:*:*:*:*:*:*
Vendors & Products Autodesk
Autodesk shared Components
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Autodesk 3ds Max Advance Steel Autocad Autocad Architecture Autocad Electrical Autocad Map 3d Autocad Mechanical Autocad Mep Autocad Plant 3d Civil 3d Infraworks Inventor Revit Revit Lt Shared Components Vault
cve-icon MITRE

Status: PUBLISHED

Assigner: autodesk

Published:

Updated: 2026-02-26T14:44:15.726Z

Reserved: 2026-01-13T12:37:27.702Z

Link: CVE-2026-0875

cve-icon Vulnrichment

Updated: 2026-02-18T20:10:22.678Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T20:18:32.370

Modified: 2026-02-20T15:09:30.523

Link: CVE-2026-0875

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:45:25Z

Weaknesses