Description
A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized.
Published: 2026-02-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A maliciously crafted project directory can trick Autodesk 3ds Max into executing code when a .max file is opened. The vulnerability arises from an untrusted search path that permits the program to load executables from directories controlled by the project, enabling arbitrary code to run with the same privileges as the user. This flaw is categorized as CWE‑426.

Affected Systems

The affected product is Autodesk 3ds Max, specifically version 2026 as indicated in the referenced CPEs. Earlier releases may also be impacted if they employ similar loading mechanisms; however, only 2026 is explicitly noted.

Risk and Exploitability

The CVSS score of 7.8 reflects high severity, while the EPSS score of less than 1% indicates very low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Attacks would require a user to open a malicious .max file or otherwise supply a crafted project directory; thus the vector is expected to be local or user‑initiated without remote code execution from a network source.

Generated by OpenCVE AI on April 17, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Autodesk 3ds Max security update provided in Security Advisory ADK‑2026‑0002.
  • Ensure that directories referenced in project files are fully trusted and do not contain potentially malicious executables.
  • Verify that the system PATH used by 3ds Max does not include untrusted or writable directories that could be used for loading executables.

Generated by OpenCVE AI on April 17, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:autodesk:3ds_max:*:*:*:*:*:*:*:*

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized.
Title Untrusted Search Path Vulnerability when opening max Files
First Time appeared Autodesk
Autodesk 3ds Max
Weaknesses CWE-426
CPEs cpe:2.3:a:autodesk:3ds_max:2026:*:*:*:*:*:*:*
Vendors & Products Autodesk
Autodesk 3ds Max
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Autodesk 3ds Max
cve-icon MITRE

Status: PUBLISHED

Assigner: autodesk

Published:

Updated: 2026-02-26T15:04:19.038Z

Reserved: 2026-01-06T19:58:25.162Z

Link: CVE-2026-0662

cve-icon Vulnrichment

Updated: 2026-02-04T16:50:37.226Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T17:16:13.100

Modified: 2026-02-06T14:45:33.330

Link: CVE-2026-0662

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses