Description
A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Published: 2026-02-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

This flaw is an out‑of‑bounds write triggered when Autodesk 3ds Max parses a specially crafted RGB file. The resulting memory corruption allows an attacker to execute arbitrary code within the context of the process that is loading the file, potentially compromising the entire system. The weakness is identified as CWE‑787, which carries risks to confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects Autodesk 3ds Max, but specific affected build numbers are not listed in the advisory. Administrators should check the detailed security advisory for any version constraints; treating all installations as potentially vulnerable until patched is a prudent approach.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the EPSS score is below 1 %, suggesting that exploitation is currently unlikely. The vulnerability is not part of the CISA KEV catalog. The attack vector is inferred to be local or remote depending on how the malicious file is introduced—a malicious actor must supply the file to a user who opens it or to an automated import process. No publicly available exploit code is known at this time.

Generated by OpenCVE AI on April 17, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the update referenced in Autodesk security advisory adsk‑sa‑2026‑0002 to address the memory corruption flaw
  • Restrict the use of the RGB import feature to trusted users or disable it entirely if the function is not required
  • Apply application whitelisting or endpoint protection policies to prevent execution of code derived from untrusted RGB files

Generated by OpenCVE AI on April 17, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:autodesk:3ds_max:*:*:*:*:*:*:*:*

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Title RGB File Parsing Memory Corruption
First Time appeared Autodesk
Autodesk 3ds Max
Weaknesses CWE-787
CPEs cpe:2.3:a:autodesk:3ds_max:2026:*:*:*:*:*:*:*
Vendors & Products Autodesk
Autodesk 3ds Max
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Autodesk 3ds Max
cve-icon MITRE

Status: PUBLISHED

Assigner: autodesk

Published:

Updated: 2026-02-26T15:04:19.968Z

Reserved: 2025-12-23T07:17:33.132Z

Link: CVE-2026-0537

cve-icon Vulnrichment

Updated: 2026-02-04T16:56:08.287Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T17:16:12.237

Modified: 2026-02-06T17:49:40.607

Link: CVE-2026-0537

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses