CVE-2026-7452 Autodesk CVE debrief

Who should care

Organizations using Autodesk 3ds Max 2026 or 2027 for 3D modeling and visualization, particularly those accepting WRL/VRML files from external sources. Security teams should prioritize patching due to the HIGH severity rating and potential for complete system compromise through user-targeted attacks.

Technical summary

The vulnerability stems from improper handling of WRL (VRML) file parsing in Autodesk 3ds Max, leading to memory corruption exploitable for arbitrary code execution. The attack requires local access and user interaction (opening a malicious file), with execution occurring in the context of the current 3ds Max process. Affected versions include 3ds Max 2026 and 2027. The underlying weakness is categorized as CWE-120 (Classic Buffer Overflow). No known exploitation in the wild has been reported, and the vulnerability is not listed in CISA KEV.

Defensive priority

HIGH

Recommended defensive actions

• Apply security updates from Autodesk as specified in vendor advisory ADSK-SA-2026-0006
• Restrict 3ds Max file opening to trusted WRL sources only
• Implement application whitelisting to prevent execution of untrusted 3ds Max instances
• Consider disabling WRL import functionality if not required for business operations
• Monitor for suspicious 3ds Max process behavior or unexpected child processes
• Train users to recognize and avoid opening unsolicited or unexpected 3ds Max files

Evidence notes

CVE published 2026-05-26T18:16:55.900Z; modified 2026-05-26T20:41:09.723Z. Affects 3ds Max 2026 and 2027 per NVD CPE data. Vendor advisory confirms issue. CWE-120 (Classic Buffer Overflow) identified as root cause weakness.

Official resources