CVE-2026-7451: Autodesk 3ds Max RCE Vulnerability

CVE-2026-7451 Overview

CVE-2026-7451 is an out-of-bounds write vulnerability in Autodesk 3ds Max affecting the parsing of TIF image files. A maliciously crafted TIF file processed by 3ds Max triggers memory corruption outside the bounds of an allocated buffer. Attackers can leverage this flaw to crash the application, corrupt data, or execute arbitrary code in the context of the current process. The vulnerability requires local access and user interaction, typically through opening or importing the malicious file. Autodesk published Security Advisory ADSK-SA-2026-0006 documenting the issue, which affects 3ds Max versions 2026 and 2027. The weakness is classified under [CWE-787] (Out-of-bounds Write).

Critical Impact

Successful exploitation can result in arbitrary code execution on workstations running affected versions of Autodesk 3ds Max, compromising confidentiality, integrity, and availability of the host process.

Affected Products

• Autodesk 3ds Max 2026
• Autodesk 3ds Max 2027
• Workstations running affected 3ds Max versions on supported operating systems

Discovery Timeline

• 2026-05-26 - CVE CVE-2026-7451 published to NVD
• 2026-05-26 - Last updated in NVD database

Technical Details for CVE-2026-7451

Vulnerability Analysis

The vulnerability resides in the TIF (Tagged Image File Format) parsing logic within Autodesk 3ds Max. When the application processes a TIF file containing crafted header fields or image data structures, the parser writes data past the end of an allocated buffer. Out-of-bounds writes corrupt adjacent memory, including heap metadata, function pointers, or object references used by the application. Attackers who control the overwritten bytes can redirect execution flow and run arbitrary code inside the 3ds Max process. The flaw maps to [CWE-787] and impacts both the 2026 and 2027 release lines of the product.

Root Cause

The parser fails to validate length, offset, or count fields parsed from untrusted TIF input against the size of destination buffers. Without proper bounds checking, attacker-controlled values from the file header or tag directories drive write operations beyond allocated memory. This pattern is consistent across image-format parsing bugs that combine attacker-controlled metadata with fixed-size or undersized buffers.

Attack Vector

Exploitation requires a user to open or import a malicious TIF file in Autodesk 3ds Max. Delivery channels include phishing attachments, compromised asset libraries, third-party model marketplaces, and shared project files within studios. The attack is local and requires user interaction, but the resulting code execution runs with the privileges of the user invoking 3ds Max. In studio environments where artists hold access to source assets, build pipelines, or signing keys, this access can support lateral movement.

No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Autodesk Security Advisory ADSK-SA-2026-0006 for vendor technical detail.

Detection Methods for CVE-2026-7451

Indicators of Compromise

• Unexpected crashes of 3dsmax.exe shortly after opening or importing TIF assets.
• TIF files received from untrusted sources with anomalous header sizes, malformed tag directories, or unusual file sizes relative to declared image dimensions.
• Creation of new child processes or command interpreters spawned by 3dsmax.exe.
• Outbound network connections initiated by 3dsmax.exe to unfamiliar hosts following asset import.

Detection Strategies

• Monitor process creation events where 3dsmax.exe is the parent of cmd.exe, powershell.exe, rundll32.exe, or other living-off-the-land binaries.
• Inspect Windows Error Reporting and crash dumps for access violations originating in 3ds Max image-parsing modules.
• Apply file-type analysis on inbound TIF files at email and web gateways, flagging structurally malformed images.

Monitoring Recommendations

• Centralize endpoint telemetry from artist workstations to detect anomalous behavior chained from 3ds Max sessions.
• Track file-open and import events for TIF assets sourced from external networks or removable media.
• Alert on persistence mechanisms (Run keys, scheduled tasks, service installs) created within minutes of a 3ds Max crash event.

How to Mitigate CVE-2026-7451

Immediate Actions Required

• Inventory endpoints running Autodesk 3ds Max 2026 and 2027 and prioritize them for patching.
• Apply the updates referenced in Autodesk Security Advisory ADSK-SA-2026-0006 as soon as they are available through Autodesk Access.
• Restrict the import of TIF files from untrusted sources, including external email attachments and unverified asset libraries.
• Educate artists and pipeline engineers on the risk of opening unsolicited model or texture packages.

Patch Information

Autodesk has published guidance and fixed releases through Autodesk Security Advisory ADSK-SA-2026-0006. Customers should manage updates through Autodesk Access and validate that affected installations are upgraded to the vendor-recommended versions. Confirm patch deployment by querying installed 3ds Max build numbers across managed endpoints.

Workarounds

• Block or quarantine TIF files originating from untrusted external sources at email and file-transfer gateways until patches are applied.
• Run 3ds Max under standard user accounts without administrative privileges to limit the impact of code execution.
• Use application allowlisting and child-process restrictions to prevent 3dsmax.exe from launching scripting interpreters or shells.
• Isolate workstations that regularly handle third-party assets from sensitive build and signing infrastructure.

# Example: enumerate installed 3ds Max versions on Windows endpoints via PowerShell
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*' |
  Where-Object { $_.DisplayName -like 'Autodesk 3ds Max*' } |
  Select-Object DisplayName, DisplayVersion, InstallLocation