Cyber Resilience

CVE-2026-0662

HighLPE

Published: 04 February 2026

Published
04 February 2026
Modified
06 February 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0662 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Autodesk 3Ds Max. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2026-0662 is a vulnerability affecting Autodesk 3ds Max, where a maliciously crafted project directory can lead to arbitrary code execution in the context of the current process when opening a .max file. This issue stems from the use of an untrusted search path, mapped to CWE-426. Published on 2026-02-04T17:16:13.100, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A local attacker can exploit this vulnerability by convincing a user to open a specially crafted .max file located in a malicious project directory. No special privileges are required, though user interaction is necessary and attack complexity is low. Successful exploitation results in high-impact arbitrary code execution with full confidentiality, integrity, and availability compromise within the application's process context.

Mitigation details are available in Autodesk's security advisory ADSK-SA-2026-0002 at https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002. Additional context on Autodesk Access is provided at https://www.autodesk.com/products/autodesk-access/overview.

EU & UK References

Vulnerability details

A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1574.008 Path Interception by Search Order Hijacking Stealth
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.
Why these techniques?

Malicious .max file opened by user triggers arbitrary code exec via untrusted search path (CWE-426), directly mapping to malicious file execution and search order path interception.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-7454Same product: Autodesk 3Ds Max
CVE-2026-0537Same product: Autodesk 3Ds Max
CVE-2026-0660Same product: Autodesk 3Ds Max
CVE-2026-0661Same product: Autodesk 3Ds Max
CVE-2026-7452Same product: Autodesk 3Ds Max
CVE-2026-0536Same product: Autodesk 3Ds Max
CVE-2026-7451Same product: Autodesk 3Ds Max
CVE-2026-0538Same product: Autodesk 3Ds Max
CVE-2025-1652Same vendor: Autodesk
CVE-2025-1651Same vendor: Autodesk

Affected Assets

autodesk
3ds max
2026 — 2026.3.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the untrusted search path vulnerability by identifying, prioritizing, and applying vendor patches as specified in Autodesk's security advisory.

prevent

Enforces software integrity verification prior to execution, preventing the loading and running of arbitrary code from untrusted project directories via code signing or checksum checks.

preventdetect

Deploys malicious code protection mechanisms that scan and block execution of malicious DLLs or payloads loaded from untrusted search paths in .max files.

References