Description
A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Published: 2026-02-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from an out‑of‑bounds write during parsing of a malicious RGB file. This corrupted memory can be used to execute arbitrary code in the context of the running Autodesk 3ds Max process, leading to a full remote code execution condition. The weakness is a classic buffer overflow, classified as CWE‑787.

Affected Systems

All releases of Autodesk 3ds Max are affected, as indicated by the vendor and product list. No specific version constraints were provided, so apply the guidance to all current and legacy builds.

Risk and Exploitability

The CVSS score of 7.8 highlights a substantial impact if exploited. The very low EPSS score of less than 1% suggests that attacks are infrequent at present, and the vulnerability is not yet listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation would typically require an attacker to supply a crafted RGB file that the user or a compromised process subsequently parses, implying a local or user‑initiated attack vector unless RGB files are accepted from external sources.

Generated by OpenCVE AI on April 17, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Autodesk 3ds Max patch or upgrade to a newer release as detailed in the Autodesk security advisory.
  • If a patch is unavailable, configure the application or the surrounding environment to reject or quarantine unknown RGB files, and disable any automatic processing of such files until a fix is applied.
  • Implement network or host‑based controls to prevent untrusted users from providing or injecting RGB files into the system, and monitor for anomalous file‑handling activities.

Generated by OpenCVE AI on April 17, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:autodesk:3ds_max:*:*:*:*:*:*:*:*

Fri, 06 Feb 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Title Out-of-Bounds Write in RGB File Parsing
First Time appeared Autodesk
Autodesk 3ds Max
Weaknesses CWE-787
CPEs cpe:2.3:a:autodesk:3ds_max:2026:*:*:*:*:*:*:*
Vendors & Products Autodesk
Autodesk 3ds Max
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Autodesk 3ds Max
cve-icon MITRE

Status: PUBLISHED

Assigner: autodesk

Published:

Updated: 2026-02-26T15:04:19.691Z

Reserved: 2026-01-06T19:58:23.903Z

Link: CVE-2026-0661

cve-icon Vulnrichment

Updated: 2026-02-04T16:54:22.922Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T17:16:12.947

Modified: 2026-02-06T16:26:55.207

Link: CVE-2026-0661

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses