CVE-2026-1288
Analyzed
Analyzed - Analysis Complete
NULL Pointer Dereference in Autodesk Revit via RFA Conversion
Vulnerability report for CVE-2026-1288, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-17
Last updated on: 2026-06-29
Assigner: Autodesk
Description
Description
A maliciously crafted RFA file, when converted to FormIt via “Convert RFA to FormIt” in Autodesk Revit, can force a NULL Pointer Dereference vulnerability. Successful exploitation may cause the application to crash, leading to a denial-of-service condition.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| autodesk | revit | From 2024 (inc) to 2024.3.5 (exc) |
| autodesk | revit | From 2025 (inc) to 2025.4.5 (exc) |
| autodesk | revit | From 2026 (inc) to 2026.4.1 (exc) |
| autodesk | revit | From 2027 (inc) to 2027.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |