CVE-2017-15761 in IrfanView
Summary
by MITRE
IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows attackers to execute arbitrary code or cause a denial of service via a crafted .dwg file, related to a "User Mode Write AV starting at BabaCAD4Image!ShowPlugInOptions+0x000000000001ecaa."
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/06/2026
The vulnerability CVE-2017-15761 represents a critical heap-based buffer overflow in IrfanView 4.50 64-bit when processing specially crafted .dwg files through the BabaCAD4Image plugin version 1.3. This issue falls under the Common Weakness Enumeration category CWE-121, heap-based buffer overflow, which occurs when a program writes data beyond the boundaries of a heap-allocated buffer. The vulnerability manifests during the execution of the ShowPlugInOptions function within the BabaCAD4Image plugin, specifically at the memory address BabaCAD4Image!ShowPlugInOptions+0x000000000001ecaa, where an access violation occurs due to improper input validation and memory management.
The technical exploitation of this vulnerability leverages the plugin architecture of IrfanView, which allows third-party modules to extend the application's functionality. When a malicious .dwg file is loaded, the BabaCAD4Image plugin fails to properly validate the file structure and size constraints, leading to a write operation that overflows the allocated buffer. This memory corruption can be exploited by attackers to execute arbitrary code with the privileges of the victim user or to cause a denial of service through application crashes. The vulnerability is particularly dangerous because it requires no special privileges to trigger and can be delivered through common file formats that users might encounter in email attachments or web downloads.
From an operational impact perspective, this vulnerability exposes users to significant security risks as it allows remote code execution without user interaction, making it a prime target for exploitation in targeted attacks. The attack surface is broad since .dwg files are commonly used in engineering and architectural applications, and many users may unknowingly open malicious files. The vulnerability affects a specific plugin version and application combination, but the underlying issue of insufficient input validation in third-party plugins represents a systemic problem in software ecosystems that rely heavily on external modules. According to the MITRE ATT&CK framework, this vulnerability maps to T1059.007 for command and scripting interpreter and T1203 for Exploitation for Client Execution, as it enables attackers to execute malicious code through the compromised application.
The recommended mitigations for this vulnerability include immediate patching of the IrfanView application and the BabaCAD4Image plugin to version 1.4 or later, which contains the necessary fixes for the buffer overflow issue. Users should disable or remove the BabaCAD4Image plugin if they do not require its functionality, particularly in environments where security is paramount. Organizations should implement strict file validation policies and consider sandboxing mechanisms to limit the impact of potential exploitation attempts. Additionally, network administrators should monitor for suspicious file types and implement email filtering rules to prevent the delivery of potentially malicious .dwg files. Regular security assessments should be conducted to identify similar vulnerabilities in other third-party plugins and application components, as this vulnerability demonstrates the importance of proper input validation and memory management in software security. The fix addresses the root cause by implementing proper bounds checking and input validation mechanisms within the plugin's file processing routines, ensuring that all buffer operations remain within allocated memory boundaries.