Autodesk 3ds Max CVE-2026-0661
HIGHSeverity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
AnalysisAI
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, resulting in a CWE-787 out-of-bounds write that corrupts memory and lets an attacker run code in the context of the user running 3ds Max. No public exploit identified at time of analysis, and the EPSS probability is only 0.01%, but the CVSS base score of 8.4 reflects the high impact when a victim is convinced to open a weaponized asset file.
Technical ContextAI
Autodesk 3ds Max is a Windows-based 3D modeling, animation, and rendering suite (CPE cpe:2.3:a:autodesk:3ds_max) that natively imports a wide range of legacy image formats, including the SGI RGB raster format historically used as texture input. The root cause is classified as CWE-787 (Out-of-bounds Write), meaning the RGB parser fails to correctly validate length, offset, or channel fields in the file header or pixel stream and writes attacker-controlled bytes past the bounds of a heap or stack buffer. Because image parsing happens in-process inside the main 3ds Max executable, corruption directly affects the running application's memory and control flow, enabling code execution under the user's security context.
RemediationAI
Apply the fixed 3ds Max build identified in Autodesk security advisory ADSK-SA-2026-0002 (https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002); exact patched version numbers are listed in that advisory and should be deployed through Autodesk Access. Until the patched build is rolled out, restrict 3ds Max workstations from opening RGB files from untrusted or external sources - block .rgb (and the related .sgi/.bw/.rgba variants) at email gateways and asset-ingest pipelines, require that third-party textures be converted to PNG or TIFF by an isolated conversion service before they reach artist workstations, and run 3ds Max under a non-administrator account so that successful exploitation is contained to the user's profile. The trade-off is that converting or blocking RGB files breaks legitimate workflows that consume SGI-format textures from vendors or legacy archives, so coordinate the block with asset-management teams.
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted GIF file, triggeri
Arbitrary code execution in Autodesk 3ds Max occurs when the application parses a maliciously crafted RGB image file, tr
Stack-based buffer overflow in Autodesk 3ds Max enables arbitrary code execution when the application parses a malicious
Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL
Arbitrary code execution in Autodesk 3ds Max occurs when users open max files from maliciously crafted project directori
Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a malicious
Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously c
Autodesk 3ds Max is vulnerable to arbitrary code execution when processing maliciously crafted GIF files due to a stack-
A maliciously crafted SKP file in Autodesk products is used to trigger use-after-free vulnerability. Rated high severity
A Stack-based Buffer Overflow Vulnerability in Autodesk 3ds Max 2022, 2021, and 2020 may lead to code execution through
Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may b
A maliciously crafted TIF file in Autodesk 3ds Max 2022 and 2021 can be used to write beyond the allocated buffer while
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today