Skip to main content

Autodesk 3ds Max CVE-2026-0660

HIGH
Stack-based Buffer Overflow (CWE-121)
2026-02-04 psirt@autodesk.com
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 03, 2026 - 14:32 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 03, 2026 - 14:32 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 03, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Jun 03, 2026 - 14:22 NVD
7.8 (HIGH) 8.4 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Feb 04, 2026 - 17:16 nvd
HIGH 7.8

DescriptionCVE.org

A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can cause a Stack-Based Buffer Overflow vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

AnalysisAI

Stack-based buffer overflow in Autodesk 3ds Max enables arbitrary code execution when the application parses a maliciously crafted GIF file, running attacker code in the context of the current user process. The flaw carries a CVSS 8.4 (High) rating due to local attack vector but full confidentiality, integrity, and availability impact, with no public exploit identified at time of analysis and a very low EPSS probability (0.01%) reflecting the file-open user-interaction model typical of DCC software.

Technical ContextAI

3ds Max is Autodesk's 3D modeling, animation, and rendering suite (CPE cpe:2.3:a:autodesk:3ds_max) that ingests numerous image and asset formats - including GIF - for textures, references, and scene assets. The root cause is CWE-121 (Stack-Based Buffer Overflow): the GIF parser writes attacker-controlled bytes past the bounds of a fixed-size stack buffer, allowing corruption of saved return addresses, stack frames, or adjacent local variables. Successful exploitation typically yields control of the instruction pointer and code execution in-process, subject to compiler/OS mitigations such as stack cookies, DEP, and ASLR.

RemediationAI

Apply the fix per Autodesk Security Advisory ADSK-SA-2026-0002 (https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002) - the exact fixed build number is not included in the provided data and should be retrieved from that advisory and Autodesk Access (https://www.autodesk.com/products/autodesk-access/overview), which is Autodesk's update delivery mechanism. As compensating controls until patching, restrict 3ds Max to opening assets only from trusted internal repositories, block ingestion of GIF files from external/email sources via endpoint policy or pipeline scanning, and require artists to inspect provenance before importing third-party scene bundles; the trade-off is reduced collaboration flexibility and potential workflow friction when working with external vendors or asset marketplaces.

CVE-2026-0538 HIGH
8.4 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted GIF file, triggeri

CVE-2026-0661 HIGH
8.4 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, re

CVE-2026-0537 HIGH
8.4 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, tr

CVE-2026-7454 HIGH
7.8 May 26

Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL

CVE-2026-0662 HIGH
7.8 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when users open max files from maliciously crafted project directori

CVE-2026-7452 HIGH
7.8 May 26

Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a malicious

CVE-2026-7451 HIGH
7.8 May 26

Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously c

CVE-2026-0536 HIGH
7.8 Feb 04

Autodesk 3ds Max is vulnerable to arbitrary code execution when processing maliciously crafted GIF files due to a stack-

CVE-2023-25002 HIGH
7.8 Jun 27

A maliciously crafted SKP file in Autodesk products is used to trigger use-after-free vulnerability. Rated high severity

CVE-2022-25793 HIGH
7.8 Aug 10

A Stack-based Buffer Overflow Vulnerability in Autodesk 3ds Max 2022, 2021, and 2020 may lead to code execution through

CVE-2022-27871 HIGH
7.8 Jun 21

Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may b

CVE-2022-27532 HIGH
7.8 Jun 16

A maliciously crafted TIF file in Autodesk 3ds Max 2022 and 2021 can be used to write beyond the allocated buffer while

Share

CVE-2026-0660 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy