CVE-2021-25173
Description
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory allocation with excessive size vulnerability exists when reading malformed DGN files, which allows attackers to cause a crash, potentially enabling denial of service (crash, exit, or restart).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory allocation vulnerability in Open Design Alliance Drawings SDK before 2021.12 allows denial of service or remote code execution via malformed DGN files.
Vulnerability
The Open Design Alliance Drawings SDK versions prior to 2021.12 contain a memory allocation with excessive size vulnerability when parsing malformed DGN files. The issue results from improper validation of user-supplied data, which can lead to a write past the end of an allocated buffer [2]. Products that incorporate the SDK, such as Siemens JT2Go, are also affected.
Exploitation
An attacker can exploit this vulnerability by convincing a user to open a specially crafted DGN file. No authentication is required. The flaw is triggered during the parsing of the DGN file, where the lack of proper bounds checking allows an out-of-bounds write [2].
Impact
In the SDK itself, exploitation can cause a crash, exit, or restart, leading to denial of service. In affected products like Siemens JT2Go, the out-of-bounds write can be leveraged to achieve remote code execution in the context of the current process [2].
Mitigation
The vulnerability is fixed in Open Design Alliance Drawings SDK version 2021.12 [1]. Users of affected products should apply vendor updates. No workarounds are documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Open Design Alliance/Drawings SDKdescription
- Range: <2021.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- cert-portal.siemens.com/productcert/pdf/ssa-155599.pdfmitrex_refsource_CONFIRM
- cert-portal.siemens.com/productcert/pdf/ssa-663999.pdfmitrex_refsource_CONFIRM
- www.opendesign.com/security-advisoriesmitrex_refsource_MISC
- www.zerodayinitiative.com/advisories/ZDI-21-225/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.