CVE-2026-0538

High

Published: 04 February 2026

Published

04 February 2026

Modified

06 February 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0001 1.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0538 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Autodesk 3Ds Max. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation directly addresses the out-of-bounds write vulnerability by applying Autodesk patches for CVE-2026-0538 in 3ds Max.

SI-16 Memory Protection good match

prevent

Memory protection mechanisms like ASLR and DEP prevent exploitation of the out-of-bounds write in GIF parsing to achieve arbitrary code execution.

SI-10 Information Input Validation partial match

prevent

Information input validation restricts malformed GIF files from being processed by 3ds Max, mitigating the parsing trigger for the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Out-of-bounds write in client-side file parser (GIF) directly enables exploitation for arbitrary code execution on user-opened malicious file.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

Deeper analysisAI

CVE-2026-0538 is an Out-of-Bounds Write vulnerability (CWE-787) affecting Autodesk 3ds Max. The issue arises when the software parses a maliciously crafted GIF file, potentially forcing an out-of-bounds write. Published on 2026-02-04, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A local attacker can exploit this vulnerability by convincing a user to open a specially crafted GIF file in Autodesk 3ds Max. Exploitation requires low complexity and user interaction but no special privileges. Successful attacks enable arbitrary code execution in the context of the affected process.

Autodesk has issued security advisory ADSK-SA-2026-0002 addressing this vulnerability, with further details available on the Autodesk Access product overview page.

Details

CWE(s): CWE-787

Affected Products

autodesk

3ds max

2026 — 2026.3.2

CVEs Like This One

CVE-2026-0661Same product: Autodesk 3Ds Max

CVE-2026-0537Same product: Autodesk 3Ds Max

CVE-2026-0536Same product: Autodesk 3Ds Max

CVE-2026-0660Same product: Autodesk 3Ds Max

CVE-2026-0662Same product: Autodesk 3Ds Max

CVE-2026-0874Same product: Autodesk 3Ds Max

CVE-2026-0875Same product: Autodesk 3Ds Max

CVE-2025-1430Same vendor: Autodesk

CVE-2026-4345Same vendor: Autodesk

CVE-2026-4369Same vendor: Autodesk

References

https://www.autodesk.com/products/autodesk-access/overview
Product · psirt@autodesk.com
https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002
Vendor Advisory · psirt@autodesk.com