CVE-2017-15746 in IrfanView
Summary
by MITRE
IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .dwg file, related to "Data from Faulting Address controls Branch Selection starting at CADIMAGE+0x00000000003d21b3."
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/08/2026
The vulnerability CVE-2017-15746 represents a critical buffer overflow condition affecting IrfanView 4.50 64-bit when utilizing the CADImage plugin version 12.0.0.5. This flaw manifests through improper handling of maliciously crafted .dwg files, which are computer-aided design drawing files commonly used in engineering and architectural applications. The vulnerability resides within the CADIMAGE plugin component that processes these specific file formats, creating an opportunity for attackers to manipulate program execution flow through memory corruption. The issue stems from insufficient input validation and bounds checking when parsing the structured data within .dwg files, particularly in how the plugin handles faulting addresses during branch selection operations.
The technical exploitation of this vulnerability occurs at the memory management level where the CADIMAGE plugin fails to properly validate the size and structure of data elements within the .dwg file format. When processing a malformed .dwg file, the plugin's parsing routine encounters a faulting address that controls branch selection logic at offset 0x00000000003d21b3 within the CADIMAGE module. This specific memory address manipulation can cause unpredictable program behavior including stack corruption, heap corruption, or instruction pointer manipulation. The flaw demonstrates characteristics consistent with a classic stack-based buffer overflow or more likely a heap-based vulnerability where attacker-controlled data influences program control flow. This type of vulnerability falls under CWE-121, which describes stack-based buffer overflow conditions, and CWE-122, which covers heap-based buffer overflow scenarios.
The operational impact of this vulnerability extends beyond simple denial of service to potentially enable arbitrary code execution within the context of the IrfanView application. When successfully exploited, attackers can cause the application to crash or potentially execute malicious code with the privileges of the user running IrfanView. This creates a significant security risk for users who may unknowingly open malicious .dwg files, particularly in environments where users receive files from untrusted sources or where the application is used in automated processing workflows. The vulnerability affects not only individual users but also organizations that rely on IrfanView for document processing, as it could be leveraged in targeted attacks against specific user groups or in broader phishing campaigns where .dwg files are used as attack vectors.
Organizations and users should implement immediate mitigations including updating to the latest version of IrfanView and the CADImage plugin where available, as the vendor has released patches addressing this vulnerability. System administrators should consider implementing file type restrictions and content scanning for .dwg files, particularly in environments where users have elevated privileges or where sensitive data is processed. Network-based mitigations could include filtering .dwg files at perimeter defenses, though this approach is less effective since the vulnerability can be triggered through legitimate file processing within the application itself. The ATT&CK framework categorizes this vulnerability under T1203, which covers exploitation of known vulnerabilities, and T1059, which involves execution through command and scripting interfaces, as attackers may leverage this flaw to establish persistent access through compromised application execution paths. Users should exercise extreme caution when opening .dwg files from unknown sources and maintain regular updates to all software components to prevent exploitation of known vulnerabilities.