Description
A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Published: 2026-05-26
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malformed WRL file, when processed by Autodesk 3ds Max, triggers a memory corruption that can be exploited to run arbitrary code in the user’s process context. The vulnerability is a classic buffer overflow (CWE-120) that allows a malicious actor to take control of the application. If successful, the attacker can compromise the confidentiality, integrity, or availability of the system running 3ds Max, potentially leading to full system takeover if privileges are elevated.

Affected Systems

This issue affects Autodesk 3ds Max versions 2026 and 2027. The vulnerability is tied to the WRL file parsing component in these releases. No further sub‑version detail is available at this time.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity. No EPSS score is reported, so the available probability of exploitation is unknown, but the potential impact is significant. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is triggered by a crafted file, the most likely attack vector is a local or remote user who is able to cause the software to open the malicious WRL file. No specific prerequisite authentication or privilege escalation is mentioned, implying that the vulnerability can be leveraged by any user running the application.

Generated by OpenCVE AI on May 26, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest 3ds Max patch provided by Autodesk for 2026 and 2027 to remove the buffer overflow in the WRL file parser.
  • Avoid opening or importing WRL files from untrusted or unknown sources until a patch is applied.
  • Implement strict file‑type restrictions or quarantining for 3ds Max to prevent accidental processing of malicious WRL data.

Generated by OpenCVE AI on May 26, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Title WRL File Parsing Memory Corruption in Autodesk 3ds Max
First Time appeared Autodesk
Autodesk 3ds Max
Weaknesses CWE-120
CPEs cpe:2.3:a:autodesk:3ds_max:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:3ds_max:2027:*:*:*:*:*:*:*
Vendors & Products Autodesk
Autodesk 3ds Max
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Autodesk 3ds Max
cve-icon MITRE

Status: PUBLISHED

Assigner: autodesk

Published:

Updated: 2026-05-27T03:55:52.364Z

Reserved: 2026-04-29T17:19:12.024Z

Link: CVE-2026-7452

cve-icon Vulnrichment

Updated: 2026-05-26T18:39:28.926Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T18:16:55.900

Modified: 2026-05-26T20:41:09.723

Link: CVE-2026-7452

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T23:00:15Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')