Description
A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Published: 2026-02-04
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw is an out‑of‑bounds write triggered when Autodesk 3ds Max parses a specially crafted RGB file. The resulting memory corruption allows an attacker to execute arbitrary code within the context of the process that is loading the file, potentially compromising the entire system. The weakness is identified as CWE‑787, which carries risks to confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects Autodesk 3ds Max 2026, as indicated by the CPE string. The advisory lists a generic wildcard for all 3ds Max versions, so installations of 2026 and potentially earlier releases may be vulnerable. Administrators should verify the installed version and apply the patch if available.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity, but the EPSS score is below 1 %, suggesting that exploitation is currently unlikely. The vulnerability is not part of the CISA KEV catalog. The attack vector is inferred to be local or remote depending on how the malicious file is introduced—a malicious actor must supply the file to a user who opens it or to an automated import process. No publicly available exploit code is known at this time.

Generated by OpenCVE AI on June 3, 2026 at 16:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the update referenced in Autodesk security advisory adsk‑sa‑2026‑0002 to address the memory corruption flaw
  • Restrict the use of the RGB import feature to trusted users or disable it entirely if the function is not required
  • Apply application whitelisting or endpoint protection policies to prevent execution of code derived from untrusted RGB files

Generated by OpenCVE AI on June 3, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:autodesk:3ds_max:*:*:*:*:*:*:*:*

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Title RGB File Parsing Memory Corruption
First Time appeared Autodesk
Autodesk 3ds Max
Weaknesses CWE-787
CPEs cpe:2.3:a:autodesk:3ds_max:2026:*:*:*:*:*:*:*
Vendors & Products Autodesk
Autodesk 3ds Max
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Autodesk 3ds Max
cve-icon MITRE

Status: PUBLISHED

Assigner: autodesk

Published:

Updated: 2026-06-03T13:31:03.149Z

Reserved: 2025-12-23T07:17:33.132Z

Link: CVE-2026-0537

cve-icon Vulnrichment

Updated: 2026-02-04T16:56:08.287Z

cve-icon NVD

Status : Modified

Published: 2026-02-04T17:16:12.237

Modified: 2026-06-03T14:16:32.200

Link: CVE-2026-0537

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T16:15:22Z

Weaknesses