NULL Pointer Dereference in Autodesk Revit Affects Users
CVE-2026-1288

5.5MEDIUM

Key Information:

Vendor: Autodesk
Status: Revit
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-1288?

A vulnerability exists in Autodesk Revit that allows for a NULL pointer dereference when a maliciously crafted RFA file is converted into a FormIt model through the 'Convert RFA to FormIt' feature. If exploited, this vulnerability may result in the application crashing and lead to a denial-of-service situation, disrupting user access and productivity.

Affected Version(s)

Revit 2027.0.0 < 2027.1.0

Revit 2026.0.0 < 2026.4.1

Revit 2025.0.0 < 2025.4.5

References

https://www.autodesk.com/trust/security-advisories/adsk-s...

vendor-advisory

https://www.autodesk.com/products/autodesk-access/overview

patch

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jan 21, 2026

CVE-2026-1288 Data

JSON