Autodesk Revit CVE-2026-1288
MEDIUMSeverity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Local file-based trigger (AV:L), user must initiate conversion (UI:R), no privileges needed, crash-only impact with no C or I.
Primary rating from Vendor (autodesk).
CVSS VectorVendor: autodesk
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
A maliciously crafted RFA file, when converted to FormIt via “Convert RFA to FormIt” in Autodesk Revit, can force a NULL Pointer Dereference vulnerability. Successful exploitation may cause the application to crash, leading to a denial-of-service condition.
AnalysisAI
NULL pointer dereference in Autodesk Revit's 'Convert RFA to FormIt' feature causes the application to crash when processing a specially crafted RFA file, resulting in a denial-of-service condition. All tracked versions of Autodesk Revit are affected per CPE data, with the attack requiring local file access and deliberate user interaction to trigger the vulnerable conversion workflow. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to have Autodesk Revit installed and to actively trigger the 'Convert RFA to FormIt' feature on a malicious RFA file - this specific conversion workflow is the vulnerable code path, not general RFA file opening. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) accurately reflects a moderate-severity, locally exploited denial-of-service issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malformed RFA file designed to trigger a null pointer condition during FormIt conversion and delivers it to a Revit user via email, a shared project folder, or a collaboration platform under the guise of a standard Revit family asset. The victim opens the file in Autodesk Revit and invokes 'Convert RFA to FormIt,' causing the application to dereference a null pointer and crash immediately. … |
| Remediation | Apply the vendor-released patch for Autodesk Revit through the Autodesk Access client available at https://www.autodesk.com/products/autodesk-access/overview. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
A maliciously crafted RCS file, when parsed through Autodesk Revit, can force an Out-of-Bounds Write vulnerability. Rate
A maliciously crafted JPG file, when linked or imported into certain Autodesk applications, can force a Heap-Based Overf
A maliciously crafted DWG file, when parsed through Autodesk Revit, can cause a Stack-Based Buffer Overflow vulnerabilit
A maliciously crafted PDF file, when linked or imported into Autodesk applications, can force a Heap-Based Overflow vuln
A maliciously crafted PDF file, when parsed through Autodesk applications, can force a Memory Corruption vulnerability.
A maliciously crafted PDF file, when linked or imported into Autodesk applications, can force a Heap-Based Overflow vuln
Use-After-Free vulnerability (CWE-416) in Autodesk Revit triggered by maliciously crafted RFA (Revit Family) files that
A maliciously crafted DWG file, when parsed through certain Autodesk applications, can force an Out-of-Bounds Write vuln
CVE-2025-5037 is a memory corruption vulnerability in Autodesk Revit triggered by parsing maliciously crafted RFA, RTE,
CVE-2025-5040 is a heap-based buffer overflow vulnerability in Autodesk Revit's RTE file parser that allows local attack
A maliciously crafted SKP file, when linked or imported into Autodesk Revit, can be used to cause a Heap-based Overflow.
A maliciously crafted DLL file, when placed in the same directory as an RVT file could be loaded by Autodesk Revit, and
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today