CVE-2026-0662
Published: 04 February 2026
Summary
CVE-2026-0662 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Autodesk 3Ds Max. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the untrusted search path vulnerability by identifying, prioritizing, and applying vendor patches as specified in Autodesk's security advisory.
Enforces software integrity verification prior to execution, preventing the loading and running of arbitrary code from untrusted project directories via code signing or checksum checks.
Deploys malicious code protection mechanisms that scan and block execution of malicious DLLs or payloads loaded from untrusted search paths in .max files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Malicious .max file opened by user triggers arbitrary code exec via untrusted search path (CWE-426), directly mapping to malicious file execution and search order path interception.
NVD Description
A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized.
Deeper analysisAI
CVE-2026-0662 is a vulnerability affecting Autodesk 3ds Max, where a maliciously crafted project directory can lead to arbitrary code execution in the context of the current process when opening a .max file. This issue stems from the use of an untrusted search path, mapped to CWE-426. Published on 2026-02-04T17:16:13.100, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A local attacker can exploit this vulnerability by convincing a user to open a specially crafted .max file located in a malicious project directory. No special privileges are required, though user interaction is necessary and attack complexity is low. Successful exploitation results in high-impact arbitrary code execution with full confidentiality, integrity, and availability compromise within the application's process context.
Mitigation details are available in Autodesk's security advisory ADSK-SA-2026-0002 at https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002. Additional context on Autodesk Access is provided at https://www.autodesk.com/products/autodesk-access/overview.
Details
- CWE(s)