CVE-2026-7454 Autodesk CVE debrief

Who should care

Organizations using Autodesk 3ds Max 2026 or 2027 for 3D modeling, animation, and rendering workflows; media and entertainment companies; architectural visualization firms; game development studios; educational institutions with 3ds Max deployments; security teams responsible for endpoint protection in creative software environments

Technical summary

The vulnerability stems from improper handling of WRL (VRML) file formats during parsing operations in Autodesk 3ds Max. The memory corruption condition (CWE-120) can be triggered when a malformed WRL file is processed, potentially allowing an attacker to corrupt heap or stack memory and redirect execution flow. The attack vector requires local access and user interaction (UI:R), with no privileges required (PR:N). The confidentiality, integrity, and availability impacts are all rated HIGH. This represents a classic file format parsing vulnerability in a widely-used 3D modeling application, where the attack surface is primarily social engineering to induce file opening.

Defensive priority

HIGH

Recommended defensive actions

• Apply security updates from Autodesk as detailed in vendor advisory ADSK-SA-2026-0006
• Restrict execution of 3ds Max to trusted users and implement application whitelisting
• Block or quarantine unsolicited WRL files at email gateways and endpoints
• Train users to avoid opening WRL files from untrusted sources
• Monitor for anomalous 3ds Max process behavior indicating potential exploitation attempts

Evidence notes

CVE published 2026-05-26T18:16:56.200Z; modified 2026-05-26T20:40:28.047Z. CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Affected CPEs: cpe:2.3:a:autodesk:3ds_max:2026:*:*:*:*:*:*:* and cpe:2.3:a:autodesk:3ds_max:2027:*:*:*:*:*:*:*. Weakness: CWE-120 per vendor PSIRT.

Official resources