Cyber Resilience

CVE-2026-0538

HighUpdated

Published: 04 February 2026

Published
04 February 2026
Modified
03 June 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 7.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-0538 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Autodesk 3Ds Max. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0538 is an Out-of-Bounds Write vulnerability (CWE-787) affecting Autodesk 3ds Max. The issue arises when the software parses a maliciously crafted GIF file, potentially forcing an out-of-bounds write. Published on 2026-02-04, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A local attacker can exploit this vulnerability by convincing a user to open a specially crafted GIF file in Autodesk 3ds Max. Exploitation requires low complexity and user interaction but no special privileges. Successful attacks enable arbitrary code execution in the context of the affected process.

Autodesk has issued security advisory ADSK-SA-2026-0002 addressing this vulnerability, with further details available on the Autodesk Access product overview page.

EU & UK References

Vulnerability details

A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Out-of-bounds write in client-side file parser (GIF) directly enables exploitation for arbitrary code execution on user-opened malicious file.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7451Same product: Autodesk 3Ds Max
CVE-2026-0536Same product: Autodesk 3Ds Max
CVE-2026-0537Same product: Autodesk 3Ds Max
CVE-2026-0661Same product: Autodesk 3Ds Max
CVE-2026-0660Same product: Autodesk 3Ds Max
CVE-2026-7452Same product: Autodesk 3Ds Max
CVE-2026-7454Same product: Autodesk 3Ds Max
CVE-2026-0662Same product: Autodesk 3Ds Max
CVE-2026-0874Same product: Autodesk 3Ds Max
CVE-2026-0875Same product: Autodesk 3Ds Max

Affected Assets

autodesk
3ds max
2026 — 2026.3.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the out-of-bounds write vulnerability by applying Autodesk patches for CVE-2026-0538 in 3ds Max.

prevent

Memory protection mechanisms like ASLR and DEP prevent exploitation of the out-of-bounds write in GIF parsing to achieve arbitrary code execution.

prevent

Information input validation restricts malformed GIF files from being processed by 3ds Max, mitigating the parsing trigger for the vulnerability.

References