Cyber Resilience

CVE-2026-3476

HighUpdated

Published: 16 March 2026

Published
16 March 2026
Modified
08 June 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 9.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3476 is a high-severity Code Injection (CWE-94) vulnerability in 3Ds Solidworks. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 9.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-3476 is a code injection vulnerability (CWE-94) affecting SOLIDWORKS Desktop from Release 2025 through Release 2026. Published on 2026-03-16T14:19:48.130, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The issue enables arbitrary code execution on the user's machine when opening a specially crafted file.

The vulnerability can be exploited by an attacker with local access who tricks a user into opening a malicious file, requiring low attack complexity and user interaction but no privileges. Successful exploitation allows the attacker to achieve high-impact effects, including unauthorized access to sensitive data, modification of system files, and disruption of services on the affected workstation.

Mitigation details and patches are outlined in the official advisory from Dassault Systèmes, available at https://www.3ds.com/trust-center/security/security-advisories/cve-2026-3476. Security practitioners should consult this resource for specific remediation steps.

EU & UK References

Vulnerability details

A Code Injection vulnerability affecting SOLIDWORKS Desktop from Release 2025 through Release 2026 could allow an attacker to execute arbitrary code on the user's machine while opening a specially crafted file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

The vulnerability is a client-side code injection flaw that directly results in arbitrary code execution upon opening a malicious file, mapping to T1204.002 User Execution: Malicious File.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-61982Shared CWE-94
CVE-2026-42214Shared CWE-94
CVE-2024-27856Shared CWE-94
CVE-2025-24243Shared CWE-94
CVE-2025-25944Shared CWE-94
CVE-2023-31044Shared CWE-94
CVE-2025-65715Shared CWE-94
CVE-2025-21187Shared CWE-94
CVE-2025-61732Shared CWE-94
CVE-2023-51313Shared CWE-94

Affected Assets

3ds
solidworks
2026 · 2025 — 2026

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly addressing CVE-2026-3476 by mandating application of the vendor patch to eliminate the code injection vulnerability.

prevent

SI-10 enforces information input validation to check file contents, preventing code injection attacks like CVE-2026-3476 during parsing of specially crafted SOLIDWORKS files.

prevent

SI-16 implements memory protections such as DEP and ASLR to block execution of arbitrary code injected via malicious files exploiting CVE-2026-3476.

References