CVE-2026-0538
Published: 04 February 2026
Summary
CVE-2026-0538 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Autodesk 3Ds Max. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-0538 is an Out-of-Bounds Write vulnerability (CWE-787) affecting Autodesk 3ds Max. The issue arises when the software parses a maliciously crafted GIF file, potentially forcing an out-of-bounds write. Published on 2026-02-04, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A local attacker can exploit this vulnerability by convincing a user to open a specially crafted GIF file in Autodesk 3ds Max. Exploitation requires low complexity and user interaction but no special privileges. Successful attacks enable arbitrary code execution in the context of the affected process.
Autodesk has issued security advisory ADSK-SA-2026-0002 addressing this vulnerability, with further details available on the Autodesk Access product overview page.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5428
Vulnerability details
A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in client-side file parser (GIF) directly enables exploitation for arbitrary code execution on user-opened malicious file.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the out-of-bounds write vulnerability by applying Autodesk patches for CVE-2026-0538 in 3ds Max.
Memory protection mechanisms like ASLR and DEP prevent exploitation of the out-of-bounds write in GIF parsing to achieve arbitrary code execution.
Information input validation restricts malformed GIF files from being processed by 3ds Max, mitigating the parsing trigger for the vulnerability.