Autodesk Arnold and 3ds Max are vulnerable to an Out-of-Bounds Write flaw that allows attackers to execute arbitrary code via malicious USD files.

This vulnerability is an Out-of-Bounds Write that occurs during the processing of Universal Scene Description (USD) files. An attacker would likely require a user to open a specially crafted file, making this a client-side attack requiring minimal user interaction.

A successful exploit could lead to the complete compromise of the workstation running the affected Autodesk software. Given the CVSS score of 7.8, the impact is high, potentially resulting in the theft of intellectual property, unauthorized data access, or the introduction of malware into the corporate network. System downtime for recovery and forensic investigation would further increase the total cost of the incident.

Immediate Action: Apply the latest security updates provided by Autodesk for Arnold and 3ds Max immediately to patch the USD file processing logic.

Proactive Monitoring: Monitor endpoint detection and response (EDR) logs for unusual child processes spawning from Autodesk applications, particularly after opening external USD assets.

Compensating Controls: Restrict the ingestion of USD files from untrusted or external sources and implement file sandboxing for previewing third-party assets.

Public Exploit Available: false

The severity of this Out-of-Bounds Write vulnerability necessitates immediate patching of all creative workstations. Organizations should prioritize updating Autodesk Arnold and 3ds Max to the latest versions to mitigate the risk of remote code execution through malicious media assets.