CVE-2026-7450 Autodesk CVE debrief

Who should care

Organizations using Autodesk 3ds Max 2026 or 2027 for 3D modeling and animation workflows. Security teams in media, entertainment, architecture, engineering, and construction sectors where 3ds Max is deployed. Incident response teams monitoring for denial-of-service conditions in creative software environments.

Technical summary

The vulnerability stems from improper NULL pointer handling during PAR (Particle System) file parsing in Autodesk 3ds Max. When a malformed PAR file is opened, the application dereferences a NULL pointer, resulting in immediate process termination. The attack requires local access and user interaction to open the malicious file. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) indicates limited confidentiality, integrity, and availability impacts due to the crash-only nature of the vulnerability. No privilege escalation or code execution capabilities have been attributed to this flaw.

Defensive priority

medium

Recommended defensive actions

• Apply security updates from Autodesk when available per vendor advisory ADSK-SA-2026-0006
• Restrict execution of untrusted PAR files in 3ds Max environments
• Implement application whitelisting to prevent unauthorized 3ds Max execution
• Monitor for unexpected 3ds Max process crashes as potential exploitation indicator
• Review Autodesk Access for patch deployment management

Evidence notes

Vulnerability confirmed through official Autodesk PSIRT advisory and NVD analysis. CPE criteria confirm affected versions: 3ds Max 2026 and 2027. CVSS vector indicates local attack vector with user interaction required. CWE-476 (NULL Pointer Dereference) classified as primary weakness.

Official resources