{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0661", "assignerOrgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "state": "PUBLISHED", "assignerShortName": "autodesk", "dateReserved": "2026-01-06T19:58:23.903Z", "datePublished": "2026-02-04T16:27:13.416Z", "dateUpdated": "2026-02-26T15:04:19.691Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:autodesk:3ds_max:2026:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "product": "3ds Max", "vendor": "Autodesk", "versions": [{"lessThan": "2026.3.2", "status": "affected", "version": "2026", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process."}], "value": "A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process."}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "shortName": "autodesk", "dateUpdated": "2026-02-04T16:27:13.416Z"}, "references": [{"tags": ["patch"], "url": "https://www.autodesk.com/products/autodesk-access/overview"}, {"tags": ["vendor-advisory"], "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002"}], "source": {"discovery": "EXTERNAL"}, "title": "Out-of-Bounds Write in RGB File Parsing", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0661", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-06T04:55:23.983770Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:19.691Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0661", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-06T04:55:23.983770Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:54:22.922Z"}}], "cna": {"title": "Out-of-Bounds Write in RGB File Parsing", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:autodesk:3ds_max:2026:*:*:*:*:*:*:*"], "vendor": "Autodesk", "product": "3ds Max", "versions": [{"status": "affected", "version": "2026", "lessThan": "2026.3.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.autodesk.com/products/autodesk-access/overview", "tags": ["patch"]}, {"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.", "supportingMedia": [{"type": "text/html", "value": "A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "shortName": "autodesk", "dateUpdated": "2026-02-04T16:27:13.416Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0661", "state": "PUBLISHED", "dateUpdated": "2026-02-26T15:04:19.691Z", "dateReserved": "2026-01-06T19:58:23.903Z", "assignerOrgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "datePublished": "2026-02-04T16:27:13.416Z", "assignerShortName": "autodesk"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:autodesk:3ds_max:*:*:*:*:*:*:*:*", "matchCriteriaId": "CF0B2FEF-FF28-4FF2-91CF-B417FB77CF04", "versionEndExcluding": "2026.3.2", "versionStartIncluding": "2026", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process."}], "id": "CVE-2026-0661", "lastModified": "2026-02-06T16:26:55.207", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "psirt@autodesk.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T17:16:12.947", "references": [{"source": "psirt@autodesk.com", "tags": ["Product"], "url": "https://www.autodesk.com/products/autodesk-access/overview"}, {"source": "psirt@autodesk.com", "tags": ["Vendor Advisory"], "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002"}], "sourceIdentifier": "psirt@autodesk.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "psirt@autodesk.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:27:08.176772+00:00", "value": {"mitigation_remediation": ["Apply the latest Autodesk\u202f3ds\u202fMax patch or upgrade to a newer release as detailed in the Autodesk security advisory.", "If a patch is unavailable, configure the application or the surrounding environment to reject or quarantine unknown RGB files, and disable any automatic processing of such files until a fix is applied.", "Implement network or host\u2011based controls to prevent untrusted users from providing or injecting RGB files into the system, and monitor for anomalous file\u2011handling activities."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All releases of Autodesk\u00a03ds\u00a0Max are affected, as indicated by the vendor and product list. No specific version constraints were provided, so apply the guidance to all current and legacy builds.", "description_and_impact": "The vulnerability arises from an out\u2011of\u2011bounds write during parsing of a malicious RGB file. This corrupted memory can be used to execute arbitrary code in the context of the running Autodesk\u202f3ds\u202fMax process, leading to a full remote code execution condition. The weakness is a classic buffer overflow, classified as CWE\u2011787.", "risk_and_exploitability": "The CVSS score of 7.8 highlights a substantial impact if exploited. The very low EPSS score of less than 1% suggests that attacks are infrequent at present, and the vulnerability is not yet listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Exploitation would typically require an attacker to supply a crafted RGB file that the user or a compromised process subsequently parses, implying a local or user\u2011initiated attack vector unless RGB files are accepted from external sources."}}}}, "created": "2026-04-17T23:30:15.918515+00:00", "updated": "2026-04-17T23:30:15.918526+00:00", "vendors": []}