Product Details
These vulnerabilities affect multiple Autodesk desktop products that rely on Autodesk Shared Components (version 2026.5 and earlier). The issue is not isolated to a single application but exists within a shared parsing library used across several product lines.
Commonly Affected Products
- AutoCAD (including vertical toolsets)
- Civil 3D
- Revit
- Inventor
- 3ds Max
- Advance Steel
- InfraWorks
- Vault Client
The vulnerability exists in the component responsible for parsing structured design files such as .CATPART and .MODEL. Improper memory handling during file parsing results in memory corruption.
Both vulnerabilities are resolved in Autodesk Shared Components 2026.6.
Official Patch Link (Vendor Advisory & Upgrade Instructions):
https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0004
CVE Summary Table
| CVE Name | CVE ID | CVSS v3.1 | Severity | Attack Vector | User Interaction | Exploitability | Exploit Availability | Impact |
|---|---|---|---|---|---|---|---|---|
| Autodesk CATPART Out-of-Bounds Write | CVE-2026-0874 | 7.8 | High | Local (malicious file) | Required | Moderate–High | No confirmed public exploit | Remote Code Execution |
| Autodesk MODEL Out-of-Bounds Write | CVE-2026-0875 | 7.8 | High | Local (malicious file) | Required | Moderate–High | No confirmed public exploit | Remote Code Execution |
Both vulnerabilities share identical technical characteristics. The only difference is the file format used to trigger the flaw.
Vulnerability Overview
CVE-2026-0874 – CATPART File Parsing Memory Corruption
Technical Description
An out-of-bounds write condition occurs when the parser processes malformed .CATPART files. During structured object parsing, boundary validation of memory buffers is insufficient. If manipulated size fields or offsets are supplied, data may be written outside allocated memory boundaries.
This corruption may:
- Overwrite adjacent heap memory
- Corrupt heap metadata
- Modify function pointers
- Redirect execution flow
If successfully exploited, arbitrary code may execute in the security context of the user opening the file.
CVE-2026-0875 – MODEL File Parsing Memory Corruption
Technical Description
The same class of vulnerability affects parsing of .MODEL files. Improper validation of array lengths and nested object structures allows memory overwrite conditions during file processing.
The vulnerability may lead to:
- Access violation crashes
- Controlled heap overwrite
- Execution of attacker-controlled payload
- Process compromise
How the Vulnerability Could Be Exploited
An attacker would typically:
- Craft a malicious CATPART or MODEL file.
- Embed manipulated structure headers or corrupted size fields.
- Deliver the file via phishing email, shared storage, or compromised supplier portal.
- Convince the user to open the file inside Autodesk software.
- Trigger memory corruption during parsing.
- Execute shellcode placed within controlled memory regions.
Because the vulnerability requires user interaction, exploitation relies heavily on social engineering. However, once opened, no additional privileges are required.
Educational Discussion on PoC and Payloads
No official public proof-of-concept exploit has been released. However, from a defensive research standpoint, exploitation of out-of-bounds write vulnerabilities typically involves:
- Fuzzing the file parser to identify crash conditions
- Analyzing crash dumps to determine overwrite offsets
- Performing heap grooming to control memory layout
- Overwriting return addresses or virtual function tables
- Using Return-Oriented Programming (ROP) chains to bypass memory protections
Potential payload behavior after exploitation may include:
- Spawning command shells
- Executing PowerShell commands
- Dropping secondary payloads
- Establishing outbound C2 communication
- Creating persistence via scheduled tasks
These scenarios are discussed strictly for defensive understanding.
MITRE Mapping
| Category | Mapping |
|---|---|
| CWE | CWE-787 – Out-of-Bounds Write |
| ATT&CK | T1204.002 – User Execution (Malicious File) |
| ATT&CK | T1203 – Exploitation for Client Execution |
| ATT&CK | T1059 – Command and Scripting Interpreter |
| ATT&CK | T1105 – Ingress Tool Transfer |
Indicators of Compromise
- Autodesk applications crashing immediately after opening CATPART or MODEL files
- Unexpected child processes such as cmd.exe or powershell.exe
- Network connections initiated by Autodesk executables
- Creation of scheduled tasks shortly after file opening
- Suspicious DLL loads inside Autodesk processes
- Increased memory exceptions recorded in crash dumps
Detection Strategy
Because exploitation involves file parsing and memory corruption, behavioral monitoring is critical.
Crash Monitoring – Windows Application Log
Event
| where EventLog == "Application"
| where EventID in (1000,1001)
| where RenderedDescription contains_any ("acad.exe","revit.exe","inventor.exe","3dsmax.exe")
| project TimeGenerated, Computer, RenderedDescription
Suspicious Process Creation – Windows Security Log
SecurityEvent
| where EventID == 4688
| where ParentProcessName has_any ("acad.exe","revit.exe","inventor.exe","3dsmax.exe")
| where NewProcessName has_any ("cmd.exe","powershell.exe","mshta.exe","wscript.exe")
| project TimeGenerated, Account, ParentProcessName, NewProcessName, CommandLine
Suspicious File Activity
DeviceFileEvents
| where FileName endswith ".catpart" or FileName endswith ".model"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName
Abnormal Network Behavior
DeviceNetworkEvents
| where InitiatingProcessFileName has_any ("acad.exe","revit.exe","inventor.exe","3dsmax.exe")
| summarize count() by RemoteIP, DeviceName
| where count_ > 5
Log Sources Required
To properly detect and investigate exploitation attempts, the following log sources are recommended:
- Windows Application Event Logs
- Windows Security Event Logs (Process Creation – 4688)
- Sysmon (Process creation, DLL load, Network connections)
- Endpoint Detection & Response telemetry
- Email gateway logs
- Firewall and proxy logs
- Crash dump files from Autodesk applications
Risk Assessment
The vulnerability is rated High because arbitrary code execution is possible. Although the attack vector is local, the reliance on file sharing within engineering environments increases the practical risk.
Organizations exchanging design files externally face increased exposure. Intellectual property theft, ransomware deployment, or lateral movement may follow successful exploitation.
Mitigation and Remediation
Immediate actions recommended:
- Upgrade Autodesk Shared Components to version 2026.6.
- Restrict external CATPART and MODEL file handling until patching is complete.
- Enable process auditing and crash monitoring.
- Strengthen email filtering for CAD file attachments.
- Conduct awareness training for engineering teams.
Official Patch Link
Autodesk Security Advisory and upgrade instructions:
https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0004
Upgrade to Autodesk Shared Components 2026.6 using Autodesk Access or the Autodesk Account portal.
Final Assessment
CVE-2026-0874 and CVE-2026-0875 represent memory corruption vulnerabilities in Autodesk Shared Components triggered by malicious design files. Both issues share identical technical characteristics and mitigation strategies. While no public exploit is currently confirmed, the nature of out-of-bounds write vulnerabilities makes controlled exploitation technically feasible.
Prompt patching and active monitoring remain the most effective defenses.
