Autodesk Products Out-of-Bounds Read Vulnerability Allowing Memory Corruption and Arbitrary Code Execution

A vulnerability allowing out-of-bounds read has been identified in multiple Autodesk products, including AutoCAD 2026, Advance Steel 2026, 3ds Max 2026, Civil 3D 2026, InfraWorks 2026, Inventor 2026, Revit 2026, Revit LT 2026, and Vault 2026. This vulnerability arises from the improper handling of maliciously crafted PRT files, which, when linked or imported into the affected applications, can lead to memory corruption. Exploitation of this vulnerability could result in a crash, unauthorized access to sensitive data, or execution of arbitrary code within the current process context.

Impact

Exploitation of this vulnerability causes a memory corruption error, leading to a heap-based overflow. This allows for an out-of-bounds read, where a malicious actor can access memory locations outside the intended boundaries, potentially leading to a crash, unauthorized data access, or execution of arbitrary code in the context of the current process.

Remediation

Users are advised to update to Autodesk Shared Components version 2026.3, available through Autodesk Access or the Accounts Portal. No need to update, uninstall, or reinstall individual Autodesk products, as the shared component update can be applied independently.