Cyber Resilience

CVE-2026-0874

High

Published: 18 February 2026

Published
18 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0004 11.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0874 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Autodesk Shared Components. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0874 is an Out-of-Bounds Write vulnerability (CWE-787) with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), published on 2026-02-18. It affects certain Autodesk products that parse CATPART files, where a maliciously crafted CATPART file can trigger the vulnerability during processing.

An attacker with local access can exploit this vulnerability by convincing a user to open a specially crafted CATPART file through the affected Autodesk software. No special privileges are required, though user interaction is necessary. Successful exploitation may result in application crashes, data corruption, or arbitrary code execution within the context of the current process.

Autodesk has published security advisory ADSK-SA-2026-0004 detailing the issue, available at https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0004. Additional information on affected products, such as Autodesk Access, can be found at https://www.autodesk.com/products/autodesk-access/overview. Practitioners should consult these resources for patch availability and mitigation guidance.

EU & UK References

Vulnerability details

A maliciously crafted CATPART file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the…

more

current process.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Out-of-bounds write in file parser enables arbitrary code execution triggered by opening a malicious CATPART file, directly mapping to client-side exploitation and malicious file user execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-0875Same product: Autodesk 3Ds Max
CVE-2025-1429Same product: Autodesk Advance Steel
CVE-2025-1430Same product: Autodesk Advance Steel
CVE-2025-1433Same product: Autodesk Advance Steel
CVE-2025-1428Same product: Autodesk Advance Steel
CVE-2025-1651Same product: Autodesk Advance Steel
CVE-2025-1649Same product: Autodesk Advance Steel
CVE-2025-1650Same product: Autodesk Advance Steel
CVE-2025-1431Same product: Autodesk Advance Steel
CVE-2026-0537Same product: Autodesk 3Ds Max

Affected Assets

autodesk
shared components
≤ 2026.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly mitigating this vulnerability by mandating installation of Autodesk patches as detailed in their security advisory.

prevent

SI-16 implements memory protections like ASLR and DEP that prevent exploitation of out-of-bounds writes for arbitrary code execution even if the flaw exists.

prevent

SI-10 enforces input validation for files like CATPARTs, reducing the risk of processing maliciously crafted inputs that trigger the parser vulnerability.

References