CVE-2017-15762 in IrfanView
Summary
by MITRE
IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows attackers to execute arbitrary code or cause a denial of service via a crafted .dwg file, related to a "User Mode Write AV near NULL starting at BabaCAD4Image!ShowPlugInOptions+0x000000000001f31b."
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/06/2026
This vulnerability exists in IrfanView version 4.50 64-bit when the BabaCAD4Image plugin version 1.3 is installed, creating a critical security risk that allows remote code execution or denial of service attacks through maliciously crafted .dwg files. The flaw manifests as a user mode write access violation near NULL memory location, specifically occurring at the BabaCAD4Image!ShowPlugInOptions+0x000000000001f31b address within the plugin's code execution flow. This type of vulnerability represents a classic buffer overflow condition where insufficient input validation allows attackers to manipulate memory operations and potentially execute arbitrary code within the context of the IrfanView process. The vulnerability stems from improper handling of .dwg file formats during the plugin's processing routine, where the application fails to properly validate or sanitize input data before attempting to parse and render CAD drawings.
The technical exploitation of this vulnerability follows a predictable pattern that aligns with common software exploitation methodologies and can be mapped to CWE-121, which describes heap-based buffer overflow conditions. Attackers can craft specially formatted .dwg files that trigger the vulnerable code path within the BabaCAD4Image plugin, leading to memory corruption that can be leveraged for privilege escalation or complete system compromise. The specific memory access violation occurs during the ShowPlugInOptions function execution, indicating that the flaw exists in the plugin's user interface handling code where it processes plugin configuration options for CAD file display. This represents a particularly dangerous condition because it allows attackers to execute arbitrary code with the privileges of the IrfanView process, potentially enabling full system compromise if the application is running with elevated permissions.
From an operational impact perspective, this vulnerability creates significant risk for organizations that rely on IrfanView for document viewing and image processing tasks, particularly in environments where users may encounter untrusted .dwg files from external sources. The vulnerability affects not only individual users but also enterprise environments where IrfanView might be deployed across multiple systems, making it a prime target for targeted attacks. The denial of service component of this vulnerability means that even if code execution cannot be achieved, attackers can still disrupt normal operations by causing application crashes or system instability. The exploitation requires minimal technical skill, making it particularly dangerous as it can be leveraged by threat actors with varying levels of expertise. This vulnerability also maps to several ATT&CK techniques including T1203, which involves legitimate user execution of programs, and T1059, which covers command and scripting interpreter usage, as attackers may leverage this flaw to establish persistent access through malicious file delivery.
Organizations should immediately implement mitigations including disabling the BabaCAD4Image plugin if .dwg file viewing is not essential for their operations, applying the vendor-provided security patches as soon as they become available, and implementing network-based protections such as content filtering and sandboxing mechanisms. Additionally, users should be educated about the dangers of opening untrusted .dwg files and the importance of keeping software updated. The vulnerability demonstrates the importance of plugin security and proper input validation in third-party software components, as the flaw exists specifically within the plugin rather than the core IrfanView application. Security teams should monitor for exploitation attempts through network traffic analysis and endpoint detection systems, particularly looking for unusual file processing activities involving CAD file formats. The vulnerability also highlights the need for comprehensive application whitelisting policies and regular security assessments of all installed plugins and extensions to prevent similar issues from occurring in other software applications.