CVE-2017-15760 in IrfanView
Summary
by MITRE
IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows attackers to execute arbitrary code or cause a denial of service via a crafted .dwg file, related to a "User Mode Write AV near NULL starting at BabaCAD4Image!ShowPlugInOptions+0x000000000001ce82."
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/06/2026
The vulnerability CVE-2017-15760 represents a critical heap-based buffer overflow in IrfanView 4.50 64-bit when processing specially crafted .dwg files through the BabaCAD4Image plugin version 1.3. This issue manifests as a user mode write access violation near NULL memory location, specifically at the ShowPlugInOptions function within the BabaCAD4Image module. The flaw occurs during the parsing of AutoCAD drawing files that contain malformed data structures, creating an opportunity for attackers to exploit memory corruption through improper input validation and handling. The vulnerability is particularly concerning because it allows for arbitrary code execution or denial of service when the vulnerable application processes maliciously crafted drawing files, making it a significant threat to users who frequently handle CAD documents.
The technical root cause of this vulnerability stems from insufficient bounds checking within the BabaCAD4Image plugin's parsing routines for .dwg file formats. When IrfanView loads a .dwg file through the plugin interface, the application fails to properly validate the size and structure of data elements within the file header or object definitions. This inadequate input sanitization leads to a situation where a crafted sequence of bytes in the .dwg file causes the plugin to write beyond allocated memory boundaries, resulting in heap corruption. The specific memory access violation occurs at offset 0x000000000001ce82 within the ShowPlugInOptions function, indicating that the overflow happens during the display of plugin options or configuration dialog, suggesting the vulnerability may be triggered even during simple file preview operations.
From an operational perspective, this vulnerability creates a high-risk attack surface for both individual users and enterprise environments that rely on IrfanView for image processing tasks. The attack vector requires minimal user interaction since simply opening a malicious .dwg file in IrfanView can trigger the exploit, making it particularly dangerous in phishing scenarios or when processing files from untrusted sources. The potential impact extends beyond simple denial of service to full system compromise, as attackers could leverage this vulnerability to execute malicious code with the privileges of the affected user. This makes the vulnerability particularly attractive to threat actors targeting office environments where CAD files are commonly exchanged and processed through standard image viewers.
The vulnerability aligns with CWE-121, Heap-based Buffer Overflow, and represents a classic example of improper input validation in third-party plugin components. According to ATT&CK framework, this vulnerability maps to T1203 - Exploitation for Client Execution, where adversaries leverage software vulnerabilities to execute malicious code on target systems. The attack chain typically involves delivering a malicious .dwg file through social engineering or direct compromise, followed by successful exploitation of the buffer overflow to gain code execution privileges. Organizations should consider implementing network segmentation and file validation policies to reduce the risk of exploitation, particularly in environments where users regularly process external CAD files. Additionally, the vulnerability highlights the importance of keeping third-party plugins updated and regularly auditing software components for known security issues, as the vulnerability exists specifically within the BabaCAD4Image plugin rather than the core IrfanView application.