CVE-2026-1288 Autodesk CVE debrief

Who should care

Users of Autodesk Revit who work with RFA files, particularly those in construction, architecture, and engineering industries, should be aware of this vulnerability. IT administrators and security teams responsible for managing and securing Autodesk Revit installations should prioritize patching and mitigation efforts.

Technical summary

The vulnerability occurs when a maliciously crafted RFA file is converted to FormIt via 'Convert RFA to FormIt' in Autodesk Revit. This can lead to a NULL Pointer Dereference, causing the application to crash and resulting in a denial-of-service condition. The CVSS vector for this vulnerability is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating a medium-severity issue with local attack vector and high impact on availability.

Defensive priority

medium

Recommended defensive actions

• Apply the latest security patches and updates for Autodesk Revit
• Implement strict file validation and sanitization for RFA files
• Restrict access to the 'Convert RFA to FormIt' feature to authorized users
• Monitor Autodesk Revit logs for suspicious activity
• Consider using alternative file formats or conversion methods
• Keep Autodesk Revit software up-to-date with the latest security fixes
• Review and update incident response plans to address potential denial-of-service attacks

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. Autodesk's security advisories and product documentation may offer additional context and mitigation guidance. The CWE-476 weakness classification indicates a NULL Pointer Dereference vulnerability.

Official resources