Autodesk 3ds Max CVE-2026-0660
HIGHSeverity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can cause a Stack-Based Buffer Overflow vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
AnalysisAI
Stack-based buffer overflow in Autodesk 3ds Max enables arbitrary code execution when the application parses a maliciously crafted GIF file, running attacker code in the context of the current user process. The flaw carries a CVSS 8.4 (High) rating due to local attack vector but full confidentiality, integrity, and availability impact, with no public exploit identified at time of analysis and a very low EPSS probability (0.01%) reflecting the file-open user-interaction model typical of DCC software.
Technical ContextAI
3ds Max is Autodesk's 3D modeling, animation, and rendering suite (CPE cpe:2.3:a:autodesk:3ds_max) that ingests numerous image and asset formats - including GIF - for textures, references, and scene assets. The root cause is CWE-121 (Stack-Based Buffer Overflow): the GIF parser writes attacker-controlled bytes past the bounds of a fixed-size stack buffer, allowing corruption of saved return addresses, stack frames, or adjacent local variables. Successful exploitation typically yields control of the instruction pointer and code execution in-process, subject to compiler/OS mitigations such as stack cookies, DEP, and ASLR.
RemediationAI
Apply the fix per Autodesk Security Advisory ADSK-SA-2026-0002 (https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002) - the exact fixed build number is not included in the provided data and should be retrieved from that advisory and Autodesk Access (https://www.autodesk.com/products/autodesk-access/overview), which is Autodesk's update delivery mechanism. As compensating controls until patching, restrict 3ds Max to opening assets only from trusted internal repositories, block ingestion of GIF files from external/email sources via endpoint policy or pipeline scanning, and require artists to inspect provenance before importing third-party scene bundles; the trade-off is reduced collaboration flexibility and potential workflow friction when working with external vendors or asset marketplaces.
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted GIF file, triggeri
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, re
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, tr
Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL
Arbitrary code execution in Autodesk 3ds Max occurs when users open max files from maliciously crafted project directori
Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a malicious
Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously c
Autodesk 3ds Max is vulnerable to arbitrary code execution when processing maliciously crafted GIF files due to a stack-
A maliciously crafted SKP file in Autodesk products is used to trigger use-after-free vulnerability. Rated high severity
A Stack-based Buffer Overflow Vulnerability in Autodesk 3ds Max 2022, 2021, and 2020 may lead to code execution through
Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may b
A maliciously crafted TIF file in Autodesk 3ds Max 2022 and 2021 can be used to write beyond the allocated buffer while
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today