CVE-2017-15759 in IrfanView
Summary
by MITRE
IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows attackers to execute arbitrary code or cause a denial of service via a crafted .dwg file, related to a "User Mode Write AV near NULL starting at BabaCAD4Image!ShowPlugInOptions+0x000000000001b3f3."
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/06/2026
The vulnerability CVE-2017-15759 represents a critical security flaw in IrfanView 4.50 64-bit when utilizing the BabaCAD4Image plugin version 1.3. This issue manifests through a user mode write access violation near NULL, specifically occurring at the BabaCAD4Image!ShowPlugInOptions+0x000000000001b3f3 memory location. The flaw enables attackers to execute arbitrary code or induce denial of service conditions through the careful crafting of .dwg files, which are commonly used in computer-aided design applications.
The technical nature of this vulnerability stems from improper input validation within the BabaCAD4Image plugin component of IrfanView. When the application processes a specially crafted .dwg file, the plugin fails to properly validate memory operations, leading to a write access violation that can be exploited to gain control over the application's execution flow. This type of vulnerability falls under the category of heap-based buffer overflows as defined by CWE-121, where insufficient bounds checking allows attackers to overwrite adjacent memory locations. The specific error occurs during the plugin's option display functionality, suggesting that the vulnerability is triggered when the application attempts to render or process metadata within the malicious .dwg file.
The operational impact of this vulnerability extends beyond simple denial of service scenarios, as it provides attackers with the potential to execute arbitrary code on affected systems. This capability enables malicious actors to perform a wide range of harmful activities including but not limited to installing malware, modifying system files, or establishing persistent access to compromised systems. The vulnerability affects a significant user base since IrfanView is widely used for image viewing across various organizations and individuals. According to ATT&CK framework, this vulnerability maps to T1059.007 (Command and Scripting Interpreter: PowerShell) and T1068 (Exploitation for Privilege Escalation) as attackers could leverage this flaw to execute commands with elevated privileges. The vulnerability particularly impacts enterprise environments where users may inadvertently open malicious files, creating potential attack vectors for lateral movement and data exfiltration.
Mitigation strategies for this vulnerability should focus on immediate patching of the affected software components. Users should upgrade to IrfanView versions that either remove or properly secure the BabaCAD4Image plugin functionality. Organizations should implement strict file validation policies and consider disabling third-party plugins that are not essential for core operations. Network segmentation and endpoint protection solutions should be configured to monitor for suspicious file execution patterns. Additionally, security awareness training should emphasize the dangers of opening untrusted files, particularly those with .dwg extensions that may be used in targeted attacks. The vulnerability demonstrates the importance of proper input validation and memory management in plugin architectures, aligning with security best practices outlined in the OWASP Top Ten and NIST cybersecurity guidelines for preventing buffer overflow attacks.