Out-of-Bounds Write Vulnerability in Autodesk Arnold and 3ds Max
CVE-2026-0659

7.8HIGH

Key Information:

Vendor

Autodesk
Status
Usd For Arnold
Arnold
3ds Max
Vendor
CVE Published:
4 February 2026

What is CVE-2026-0659?

A vulnerability has been identified where a specially crafted USD file can induce an Out-of-Bounds Write condition when loaded or imported into Autodesk Arnold or Autodesk 3ds Max. This issue can be exploited by a malicious actor to execute arbitrary code within the context of the affected process, potentially compromising system integrity and user data.

Affected Version(s)

3ds Max 2026.2 < 2026.3.2

Arnold 7.4.4.1 < 7.4.4.2

USD for Arnold 7.4.4.1 < 7.4.4.2

References

https://www.autodesk.com/products/autodesk-access/overview
patch
https://github.com/Autodesk/arnold-usd
patch
https://www.autodesk.com/trust/security-advisories/adsk-s...
vendor-advisory

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.