CVE-2026-0661 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2026-0661?

CVE-2026-0661 has a CVSS score of 7.8 (HIGH). This vulnerability allows attackers to execute arbitrary code by tricking users into opening malicious RGB files in Autodesk 3ds Max. Users who open untrusted RGB files in affected versions of 3ds Max are at risk of complete system compromise.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code by tricking users into opening malicious RGB files in Autodesk 3ds Max. Users who open untrusted RGB files in affected versions of 3ds Max are at risk of complete system compromise.

💻 Affected Systems

Products:

Autodesk 3ds Max

Versions: Versions prior to 2026.2

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where 3ds Max is installed and users open RGB files from untrusted sources.

📦 What is this software?

3ds Max by Autodesk

View all CVEs affecting 3ds Max →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the 3ds Max user, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation leading to malware installation, data exfiltration, or persistence mechanisms on the affected workstation.

🟢

If Mitigated

Limited impact if file execution is blocked or user runs with minimal privileges, though some data loss or corruption may still occur.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open a malicious file. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2026.2 or later

Vendor Advisory: https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002

Restart Required: Yes

Instructions:

1. Open Autodesk Access application. 2. Check for updates. 3. Install 3ds Max 2026.2 or later. 4. Restart the application.

🔧 Temporary Workarounds

Block RGB file execution

windows

Prevent 3ds Max from opening RGB files by modifying file associations or using application control.

Run with reduced privileges

windows

Run 3ds Max with standard user privileges instead of administrator rights to limit potential damage.

🧯 If You Can't Patch

Implement strict file validation policies to block RGB files from untrusted sources
Use application whitelisting to prevent execution of unauthorized RGB files

🔍 How to Verify

Check if Vulnerable:

Check 3ds Max version in Help > About Autodesk 3ds Max. If version is earlier than 2026.2, system is vulnerable.

Check Version:

Not applicable - check via GUI in Help > About

Verify Fix Applied:

Confirm version is 2026.2 or later in Help > About Autodesk 3ds Max.

📡 Detection & Monitoring

Log Indicators:

Unexpected process crashes of 3ds Max.exe
Unusual file access patterns to RGB files

Network Indicators:

Outbound connections from 3ds Max process to unknown IPs

SIEM Query:

Process:Name='3dsmax.exe' AND (EventID=1000 OR EventID=1001) AND CommandLine Contains '.rgb'

📊 Metadata

CVE ID: CVE-2026-0661

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

EPSS Score: 0.02% exploit probability (5.6th percentile)

Published: February 4, 2026

Last Updated: February 6, 2026

🔗 References

https://www.autodesk.com/products/autodesk-access/overview Product
https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0661, you might also want to check these: