Login Sign Up

CVE-2023-36772

7.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2023-36772 is a heap-based buffer overflow vulnerability in Microsoft 3D Builder that allows remote code execution when processing specially crafted 3D model files. Attackers can exploit this by tricking users into opening malicious files, potentially gaining the same privileges as the current user. This affects all Windows users with 3D Builder installed.

💻 Affected Systems

Products:
  • Microsoft 3D Builder
Versions: All versions prior to security update
Operating Systems: Windows 10, Windows 11
Default Config Vulnerable: ⚠️ Yes
Notes: 3D Builder is a default application on Windows 10/11 but may not be installed on all systems. Vulnerability requires user interaction to open malicious file.

📦 What is this software?

3d Builder by Microsoft

View all CVEs affecting 3d Builder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining administrative privileges, installing malware, stealing data, and establishing persistence.

🟠

Likely Case

Attacker gains user-level privileges to execute arbitrary code, potentially leading to data theft, ransomware deployment, or lateral movement.

🟢

If Mitigated

Limited impact due to application sandboxing or restricted user privileges, potentially only causing application crashes.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious files, but these could be distributed via email, websites, or downloads.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared network drives containing malicious files.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction to open malicious 3D file. No public exploit code available as of knowledge cutoff.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security update through Windows Update

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36772

Restart Required: Yes

Instructions:

1. Open Windows Settings. 2. Go to Update & Security > Windows Update. 3. Click 'Check for updates'. 4. Install all available updates. 5. Restart computer if prompted.

🔧 Temporary Workarounds

Uninstall 3D Builder

windows

Remove the vulnerable application entirely

Get-AppxPackage Microsoft.3DBuilder | Remove-AppxPackage

Disable file type associations

windows

Prevent 3D files from automatically opening in 3D Builder

assoc .3mf=
assoc .stl=
assoc .obj=

🧯 If You Can't Patch

  • Restrict user privileges to standard user accounts (not administrator)
  • Implement application control policies to block 3D Builder execution

🔍 How to Verify

Check if Vulnerable:

Check if 3D Builder is installed and if Windows has pending security updates

Check Version:

Get-AppxPackage Microsoft.3DBuilder | Select Version

Verify Fix Applied:

Verify Windows Update history shows September 2023 security updates installed

📡 Detection & Monitoring

Log Indicators:

  • Application crashes of 3D Builder
  • Unusual process creation from 3DBuilder.exe
  • Suspicious file downloads with 3D extensions

Network Indicators:

  • Downloads of 3D model files from untrusted sources
  • Outbound connections from 3DBuilder.exe

SIEM Query:

Process Creation where Image contains '3DBuilder.exe' AND ParentImage not in ('explorer.exe', 'cmd.exe')

📊 Metadata

CVE ID: CVE-2023-36772
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-122
Published: September 12, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36772, you might also want to check these:

CVE-2021-21940 10.0

A heap-based buffer overflow vulnerability in Anker Eufy Homebase 2's RTSP handling allows remote co...

Same vulnerability type (CWE-122)
CVE-2023-45318 10.0

This critical vulnerability allows remote attackers to execute arbitrary code on systems running Wes...

Same vulnerability type (CWE-122)
CVE-2025-23123 10.0

A heap buffer overflow vulnerability in UniFi Protect Camera firmware allows remote code execution. ...

Same vulnerability type (CWE-122)