CVE-2024-36999

Published: Jun 25, 2024Modified: Nov 13, 2025

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: psirt@autodesk.com (Secondary)

Description

A maliciously crafted 3DM file, when parsed in opennurbs.dll through Autodesk applications, can force an Out-of-Bounds Write. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process.

Affected (36)

Products: Autodesk: Autocad, Autocad Architecture, Autocad Electrical, Autocad Map 3d, Autocad Mechanical, Autocad Mep, Autocad Plant 3d, Civil 3d, Advance Steel

9 products

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Autodesk Autocad	From 2022 to 2022.1.5
Autodesk Autocad	From 2023 to 2023.1.6
Autodesk Autocad	From 2024 to 2024.1.5
Autodesk Autocad	From 2025 to 2025.1

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Autodesk Autocad Architecture	From 2022 to 2022.1.5
Autodesk Autocad Architecture	From 2023 to 2023.1.6
Autodesk Autocad Architecture	From 2024 to 2024.1.5
Autodesk Autocad Architecture	From 2025 to 2025.1

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Autodesk Autocad Electrical	From 2022 to 2022.1.5
Autodesk Autocad Electrical	From 2023 to 2023.1.6
Autodesk Autocad Electrical	From 2024 to 2024.1.5
Autodesk Autocad Electrical	From 2025 to 2025.1

Configuration D

4 vulnerable

Vulnerable Software	Affected Versions
Autodesk Autocad Map 3d	From 2022 to 2022.1.5
Autodesk Autocad Map 3d	From 2023 to 2023.1.6
Autodesk Autocad Map 3d	From 2024 to 2024.1.5
Autodesk Autocad Map 3d	From 2025 to 2025.1

Configuration E

4 vulnerable

Vulnerable Software	Affected Versions
Autodesk Autocad Mechanical	From 2022 to 2022.1.5
Autodesk Autocad Mechanical	From 2023 to 2023.1.6
Autodesk Autocad Mechanical	From 2024 to 2024.1.5
Autodesk Autocad Mechanical	From 2025 to 2025.1

Configuration F

4 vulnerable

Vulnerable Software	Affected Versions
Autodesk Autocad Mep	From 2022 to 2022.1.5
Autodesk Autocad Mep	From 2023 to 2023.1.6
Autodesk Autocad Mep	From 2024 to 2024.1.5
Autodesk Autocad Mep	From 2025 to 2025.1

Configuration G

4 vulnerable

Vulnerable Software	Affected Versions
Autodesk Autocad Plant 3d	From 2022 to 2022.1.5
Autodesk Autocad Plant 3d	From 2023 to 2023.1.6
Autodesk Autocad Plant 3d	From 2024 to 2024.1.5
Autodesk Autocad Plant 3d	From 2025 to 2025.1

Configuration H

4 vulnerable

Vulnerable Software	Affected Versions
Autodesk Civil 3d	From 2022 to 2022.1.5
Autodesk Civil 3d	From 2023 to 2023.1.6
Autodesk Civil 3d	From 2024 to 2024.1.5
Autodesk Civil 3d	From 2025 to 2025.1

Configuration I

4 vulnerable

Vulnerable Software	Affected Versions
Autodesk Advance Steel	From 2022 to 2022.1.5
Autodesk Advance Steel	From 2023 to 2023.1.6
Autodesk Advance Steel	From 2024 to 2024.1.5
Autodesk Advance Steel	From 2025 to 2025.1

Related CWEs

CWE-125

Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

CWE-787

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

References (2)

https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010

Source: psirt@autodesk.com

Vendor Advisory

https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.