Skip to main content

Autodesk 3ds Max CVE-2026-0661

HIGH
Out-of-bounds Write (CWE-787)
2026-02-04 psirt@autodesk.com
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 03, 2026 - 14:31 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 03, 2026 - 14:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 03, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Jun 03, 2026 - 14:22 NVD
7.8 (HIGH) 8.4 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Feb 04, 2026 - 17:16 nvd
HIGH 7.8

DescriptionCVE.org

A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

AnalysisAI

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, resulting in a CWE-787 out-of-bounds write that corrupts memory and lets an attacker run code in the context of the user running 3ds Max. No public exploit identified at time of analysis, and the EPSS probability is only 0.01%, but the CVSS base score of 8.4 reflects the high impact when a victim is convinced to open a weaponized asset file.

Technical ContextAI

Autodesk 3ds Max is a Windows-based 3D modeling, animation, and rendering suite (CPE cpe:2.3:a:autodesk:3ds_max) that natively imports a wide range of legacy image formats, including the SGI RGB raster format historically used as texture input. The root cause is classified as CWE-787 (Out-of-bounds Write), meaning the RGB parser fails to correctly validate length, offset, or channel fields in the file header or pixel stream and writes attacker-controlled bytes past the bounds of a heap or stack buffer. Because image parsing happens in-process inside the main 3ds Max executable, corruption directly affects the running application's memory and control flow, enabling code execution under the user's security context.

RemediationAI

Apply the fixed 3ds Max build identified in Autodesk security advisory ADSK-SA-2026-0002 (https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002); exact patched version numbers are listed in that advisory and should be deployed through Autodesk Access. Until the patched build is rolled out, restrict 3ds Max workstations from opening RGB files from untrusted or external sources - block .rgb (and the related .sgi/.bw/.rgba variants) at email gateways and asset-ingest pipelines, require that third-party textures be converted to PNG or TIFF by an isolated conversion service before they reach artist workstations, and run 3ds Max under a non-administrator account so that successful exploitation is contained to the user's profile. The trade-off is that converting or blocking RGB files breaks legitimate workflows that consume SGI-format textures from vendors or legacy archives, so coordinate the block with asset-management teams.

CVE-2026-0538 HIGH
8.4 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted GIF file, triggeri

CVE-2026-0537 HIGH
8.4 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, tr

CVE-2026-0660 HIGH
8.4 Feb 04

Stack-based buffer overflow in Autodesk 3ds Max enables arbitrary code execution when the application parses a malicious

CVE-2026-7454 HIGH
7.8 May 26

Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL

CVE-2026-0662 HIGH
7.8 Feb 04

Arbitrary code execution in Autodesk 3ds Max occurs when users open max files from maliciously crafted project directori

CVE-2026-7452 HIGH
7.8 May 26

Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a malicious

CVE-2026-7451 HIGH
7.8 May 26

Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously c

CVE-2026-0536 HIGH
7.8 Feb 04

Autodesk 3ds Max is vulnerable to arbitrary code execution when processing maliciously crafted GIF files due to a stack-

CVE-2023-25002 HIGH
7.8 Jun 27

A maliciously crafted SKP file in Autodesk products is used to trigger use-after-free vulnerability. Rated high severity

CVE-2022-25793 HIGH
7.8 Aug 10

A Stack-based Buffer Overflow Vulnerability in Autodesk 3ds Max 2022, 2021, and 2020 may lead to code execution through

CVE-2022-27871 HIGH
7.8 Jun 21

Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may b

CVE-2022-27532 HIGH
7.8 Jun 16

A maliciously crafted TIF file in Autodesk 3ds Max 2022 and 2021 can be used to write beyond the allocated buffer while

Share

CVE-2026-0661 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy