Autodesk Products Out-of-Bounds Write Vulnerability Allowing Memory Corruption and Arbitrary Code Execution

An out-of-bounds write vulnerability has been identified in multiple Autodesk products, including AutoCAD 2026 and its specialized toolsets, as well as Autodesk Advance Steel, 3ds Max, Civil 3D, InfraWorks, Inventor, Revit, Revit LT, and Vault. This vulnerability arises when certain versions of Autodesk Shared Components are used, specifically 2026.2. A maliciously crafted PRT file can exploit this vulnerability, leading to memory corruption, data corruption, and the potential execution of arbitrary code within the current process.

Impact

Exploitation of this vulnerability causes a memory corruption issue, specifically a heap-based overflow, leading to an out-of-bounds write. This can result in a crash, data corruption, or the execution of arbitrary code in the context of the current process.

Remediation

Users are advised to update to Autodesk Shared Components version 2026.3, available through Autodesk Access or the Accounts Portal. No need to update, uninstall, or reinstall individual products, as the shared component update can be applied independently.