Autodesk Out-of-Bounds Write RCE Flaws

Two vulnerabilities have been identified in Autodesk Shared Components that could allow remote attackers to execute arbitrary code. Exploitation requires user interaction, as a victim must open or run a maliciously crafted CATPART or MODEL file. There are currently no reports of active exploitation.

CVE

CVE-2026-0874
CVE-2026-0875

Targeting / Delivery Mechanism

Exploitation occurs when a user opens a maliciously crafted CATPART or MODEL file within affected Autodesk products. Attackers may deliver these files via email, shared storage, or compromised project repositories.

Execution Technique

Both vulnerabilities stem from out-of-bounds write conditions during file parsing. Improper memory handling allows crafted files to overwrite memory structures, potentially leading to application crashes, data corruption, or arbitrary code execution in the context of the current process.

Persistence / Deployment

If successfully exploited, attackers could execute arbitrary code, manipulate project data, deploy additional payloads, or move laterally within engineering environments depending on user privileges.

Impact and Smarttech247's Recommended Actions

Operational Impact

Severity is High (CVSS 7.8). Successful exploitation may result in system compromise, intellectual property exposure, corrupted design files, or operational disruption.

Validate Integrity

Identify systems running Autodesk Shared Components version 2026.5 or earlier. Review logs for unexpected crashes, suspicious file activity, or abnormal process execution following file imports.

Respond to Confirmed Compromise

Isolate affected endpoints. Review recently opened CATPART and MODEL files. Conduct forensic analysis and rebuild systems if compromise cannot be ruled out. Rotate credentials associated with affected systems if necessary.

Strengthen Preventative Controls