CVE-2017-15758 in IrfanView
Summary
by MITRE
IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows attackers to execute arbitrary code or cause a denial of service via a crafted .dwg file, related to "Data from Faulting Address controls subsequent Write Address starting at BabaCAD4Image!ShowPlugInOptions+0x000000000004d75b."
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/06/2026
This vulnerability exists in IrfanView version 4.50 64-bit when the BabaCAD4Image plugin version 1.3 is installed, representing a critical security flaw that enables remote code execution or denial of service attacks through specially crafted .dwg files. The vulnerability stems from improper input validation within the plugin's handling of CAD drawing files, specifically when the application processes the "Data from Faulting Address" which subsequently controls the write address operations at the memory location BabaCAD4Image!ShowPlugInOptions+0x000000000004d75b. This memory address manipulation allows attackers to redirect execution flow and potentially inject malicious code into the vulnerable application process. The flaw constitutes a buffer overflow condition that occurs during the parsing of .dwg file metadata, where insufficient bounds checking permits attackers to overwrite memory regions and execute arbitrary instructions.
The technical implementation of this vulnerability aligns with CWE-121 Stack-based Buffer Overflow, where the plugin fails to properly validate the size and content of data structures within the .dwg file format. This specific memory access pattern creates a predictable attack vector that can be exploited through social engineering tactics, as users might unknowingly open malicious CAD files. The vulnerability's impact is amplified by the widespread use of IrfanView as a standard image viewer across various industries, including engineering and architecture sectors where .dwg files are commonly encountered. Attackers can leverage this flaw to execute malicious code with the privileges of the affected user, potentially leading to complete system compromise, data exfiltration, or lateral movement within network environments.
The operational consequences of this vulnerability extend beyond simple denial of service to encompass full system compromise and persistent threat capabilities. When exploited, the vulnerability allows attackers to gain arbitrary code execution, which can result in privilege escalation, persistence mechanisms, and data theft. The attack surface is particularly concerning given that many organizations rely on IrfanView for document viewing tasks, making it a prime target for targeted attacks. The vulnerability's exploitation requires minimal user interaction beyond opening the malicious file, making it particularly dangerous in phishing campaigns or supply chain attacks. Organizations using IrfanView with the BabaCAD4Image plugin should immediately implement mitigation strategies including plugin disablement, file type restrictions, and network-based protections to prevent exploitation attempts.
Mitigation strategies should focus on immediate patching of the affected software components, with particular attention to disabling or removing the vulnerable BabaCAD4Image plugin from IrfanView installations. System administrators should implement application whitelisting policies to restrict execution of untrusted .dwg files, while network security teams should deploy signature-based detection rules targeting the specific memory access patterns associated with this vulnerability. The ATT&CK framework categorizes this vulnerability under T1059 Command and Scripting Interpreter and T1068 Exploitation for Privilege Escalation, indicating that exploitation typically involves code injection and privilege elevation techniques. Organizations should also consider implementing sandboxing mechanisms for file processing and establishing incident response procedures specifically addressing image file-based attacks. Regular security assessments and vulnerability scanning should include verification of plugin integrity and proper application configuration to prevent unauthorized modifications that could enable exploitation of this and similar vulnerabilities.