CVE-2025-6632 is an Out-of-Bounds Read vulnerability (CWE-125) identified in Autodesk 3ds Max version 2026. This vulnerability arises when a maliciously crafted PSD (Photoshop Document) file is linked or imported into the 3ds Max application. The vulnerability allows an attacker to cause the application to read memory outside the intended bounds, which can lead to several adverse outcomes. Specifically, exploitation can result in application crashes (denial of service), unauthorized reading of sensitive memory contents, or potentially arbitrary code execution within the context of the current process. The vulnerability does not require privileges (PR:N) but does require user interaction (UI:R), meaning the victim must open or import the malicious PSD file for exploitation to occur. The attack vector is local (AV:L), indicating that the attacker must have access to the victim's system or deliver the malicious file through social engineering or other means. The CVSS v3.1 base score is 5.3, categorized as medium severity, reflecting limited impact on confidentiality, integrity, and availability, and moderate ease of exploitation. No known exploits are currently reported in the wild, and no patches have been published at the time of this report. The vulnerability affects only the 2026 version of Autodesk 3ds Max, a widely used 3D modeling and rendering software in industries such as media, entertainment, and design. The root cause is improper bounds checking when processing PSD files, leading to memory safety violations. Given the potential for arbitrary code execution, this vulnerability could be leveraged in targeted attacks against users who frequently import PSD files into 3ds Max, especially in environments where file sharing is common.

For European organizations, especially those in creative industries such as animation studios, architectural firms, and game development companies that rely on Autodesk 3ds Max, this vulnerability poses a tangible risk. Exploitation could lead to unauthorized disclosure of sensitive project data or intellectual property through memory disclosure. Additionally, arbitrary code execution could allow attackers to establish persistence, move laterally within networks, or deploy ransomware or other malware payloads. The requirement for user interaction and local access somewhat limits the attack surface, but social engineering or compromised file repositories could facilitate delivery of malicious PSD files. The impact on availability through crashes could disrupt workflows and cause operational delays. Given the collaborative nature of creative projects and frequent file exchanges, the risk of inadvertent exposure is heightened. Furthermore, organizations subject to strict data protection regulations such as GDPR must consider the confidentiality implications of potential data leaks. Overall, the vulnerability could affect confidentiality, integrity, and availability of critical design data and systems, with moderate severity but significant operational impact if exploited.

Organizations should implement a multi-layered approach to mitigate this vulnerability. First, restrict the import or linking of PSD files from untrusted or unknown sources within Autodesk 3ds Max workflows. Employ file integrity and malware scanning solutions that can detect malformed or suspicious PSD files before they reach end users. Educate users on the risks of opening files from unverified origins and enforce strict policies on file sharing. Monitor Autodesk's official channels for patches or updates addressing CVE-2025-6632 and apply them promptly once available. In the interim, consider sandboxing or isolating 3ds Max usage environments to limit potential damage from exploitation. Employ endpoint detection and response (EDR) tools to detect anomalous behaviors indicative of exploitation attempts, such as unexpected crashes or unusual process activities. Regularly back up critical project data to enable recovery in case of disruption. Finally, coordinate with IT and security teams to implement application whitelisting and least privilege principles to reduce the risk of arbitrary code execution.