CVE-2017-15754 in IrfanView
Summary
by MITRE
IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows attackers to execute arbitrary code or cause a denial of service via a crafted .dwg file, related to a "User Mode Write AV near NULL starting at BabaCAD4Image!ShowPlugInOptions+0x0000000000013968."
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/06/2026
This vulnerability resides within IrfanView version 4.50 64-bit when utilizing the BabaCAD4Image plugin version 1.3, representing a critical security flaw that enables remote code execution or denial of service attacks through maliciously crafted .dwg files. The vulnerability manifests as a user mode write access violation occurring near NULL memory address at the BabaCAD4Image!ShowPlugInOptions+0x0000000000013968 location, indicating a severe memory corruption issue within the plugin's handling of CAD drawing files. The flaw stems from inadequate input validation and memory management within the plugin's code, specifically when processing the structured data within .dwg files that contain malformed or maliciously constructed elements. This vulnerability falls under the CWE-121 heap-based buffer overflow category, where the plugin fails to properly validate the size and structure of incoming data before attempting to write to allocated memory regions. The attack vector exploits the plugin's insufficient bounds checking mechanisms, allowing attackers to manipulate memory layout through crafted file content that triggers the vulnerable code path during file processing operations.
The operational impact of this vulnerability extends beyond simple code execution capabilities, as it can be leveraged for complete system compromise when users open maliciously crafted .dwg files within the vulnerable IrfanView environment. Attackers can exploit this weakness to inject and execute arbitrary code within the context of the IrfanView process, potentially leading to privilege escalation, data exfiltration, or system takeover. The denial of service aspect of this vulnerability can also be weaponized to disrupt legitimate user operations by causing application crashes or system instability when processing malicious files. This vulnerability is particularly concerning given that IrfanView is widely used for image viewing and processing, making it a common target for social engineering attacks where users might unknowingly open malicious files through email attachments or file sharing platforms. The memory corruption pattern suggests that attackers could potentially leverage this flaw to bypass modern exploit mitigation techniques such as DEP and ASLR through carefully crafted payloads that manipulate the heap memory layout.
Security professionals should recognize this vulnerability as a prime example of plugin-based exploitation in multimedia applications, aligning with ATT&CK technique T1059.007 for command and scripting interpreter execution through file processing. The vulnerability demonstrates how third-party plugins can introduce critical security gaps into otherwise stable applications, highlighting the importance of thorough security testing for plugin architectures. Organizations should implement immediate mitigations including disabling the BabaCAD4Image plugin until a patched version is available, implementing strict file type validation, and deploying network-based intrusion detection systems to monitor for exploitation attempts. The vulnerability also underscores the necessity of maintaining updated software versions and conducting regular security assessments of all installed plugins and extensions. System administrators should consider implementing application whitelisting policies that restrict the execution of potentially vulnerable applications and their associated plugins. Additionally, users should be educated about the risks of opening files from untrusted sources and the importance of keeping software updated to address known vulnerabilities. This particular flaw represents a classic case of insufficient input sanitization in file format parsers, where the combination of legacy code handling and inadequate security controls creates a dangerous attack surface that can be exploited remotely without requiring user interaction beyond opening a malicious file.