Description
A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Published: 2026-05-26
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a memory corruption issue triggered when parsing a maliciously crafted WRL file in Autodesk 3ds Max. This flaw allows an attacker to execute arbitrary code with the privileges of the currently running application process, potentially compromising system integrity and confidentiality. The weakness corresponds to CWE-120, which is a buffer overflow fault.

Affected Systems

Autodesk 3ds Max versions released in 2026 and 2027 are impacted. Users of these editions should verify their installation dates. The flaw resides in the default file import functionality of the application.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. Exploit probability is not publicly available; the vulnerability has not been listed in the CISA KEV catalog. The attack vector most likely requires an end‑user to open a malicious WRL file, so it is a user‑initiated local attack leading to arbitrary code execution.

Generated by OpenCVE AI on May 26, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Autodesk 3ds Max update or patch that addresses the WRL file parsing issue, as detailed in the Autodesk security advisory.
  • Revoke or quarantine any untrusted WRL files and disable automatic opening of unknown WRL content within 3ds Max.
  • Configure application-level sandboxing or run 3ds Max in a restricted user context to limit the impact if exploitation occurs.

Generated by OpenCVE AI on May 26, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Title WRL File Parsing Memory Corruption in Autodesk 3ds Max
First Time appeared Autodesk
Autodesk 3ds Max
Weaknesses CWE-120
CPEs cpe:2.3:a:autodesk:3ds_max:2026:*:*:*:*:*:*:*
cpe:2.3:a:autodesk:3ds_max:2027:*:*:*:*:*:*:*
Vendors & Products Autodesk
Autodesk 3ds Max
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Autodesk 3ds Max
cve-icon MITRE

Status: PUBLISHED

Assigner: autodesk

Published:

Updated: 2026-05-27T03:55:55.888Z

Reserved: 2026-04-29T17:19:13.538Z

Link: CVE-2026-7454

cve-icon Vulnrichment

Updated: 2026-05-26T18:54:45.103Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T18:16:56.200

Modified: 2026-05-26T20:40:28.047

Link: CVE-2026-7454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T20:00:12Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')