Autodesk Products Heap-Based Buffer Overflow Vulnerability Allowing Memory Corruption and Arbitrary Code Execution

A heap-based buffer overflow vulnerability has been identified in multiple Autodesk products, including AutoCAD 2026 and its specialized toolsets, as well as Autodesk Advance Steel, 3ds Max, Civil 3D, InfraWorks, Inventor, Revit, Revit LT, and Vault, all in version 2026.2. This vulnerability arises when a maliciously crafted 3DM file is linked or imported into the affected software, potentially leading to memory corruption. Exploitation of this vulnerability could cause the application to crash, allow reading of sensitive data, or enable execution of arbitrary code within the context of the current process.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, leading to memory corruption. This allows for out-of-bounds writes and reads, use-after-free conditions, and could result in a crash, unauthorized access to sensitive information, or execution of arbitrary code in the context of the user.

Remediation

Users are advised to update to Autodesk Shared Components version 2026.3, available through the Autodesk Access or Accounts Portal. No need to update, uninstall, or reinstall individual Autodesk products, as the shared component update can be applied independently.