CVE-2021-25174
Description
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory corruption vulnerability exists when reading malformed DGN files. It can allow attackers to cause a crash, potentially enabling denial of service (Crash, Exit, or Restart).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory corruption in Open Design Alliance Drawings SDK before 2021.12 via malformed DGN files, leading to denial of service or possible remote code execution.
Vulnerability
A memory corruption vulnerability exists in Open Design Alliance Drawings SDK versions prior to 2021.12 [1]. The flaw occurs when the SDK parses malformed DGN files, due to improper validation of user-supplied data. This can lead to a crash or potentially allow an attacker to execute arbitrary code [2].
Exploitation
To exploit this vulnerability, an attacker must convince a user to open a specially crafted DGN file, either by downloading and opening it or by visiting a malicious web page that triggers parsing. No prior authentication is required, but user interaction is necessary [2]. The attacker supplies a malformed DGN file that triggers memory corruption during parsing.
Impact
Successful exploitation can cause the application to crash, resulting in denial of service. According to the ZDI advisory, the vulnerability may also allow remote code execution in the context of the current process, with high impact on confidentiality, integrity, and availability (CVSS 7.8) [2].
Mitigation
The vulnerability is fixed in Open Design Alliance Drawings SDK version 2021.12 [1]. Users and vendors (e.g., Siemens JT2Go) should update to the latest SDK version. Until patched, avoid opening untrusted DGN files. No other workaround is available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Open Design Alliance/Drawings SDKdescription
- Range: < 2021.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- cert-portal.siemens.com/productcert/pdf/ssa-155599.pdfmitrex_refsource_CONFIRM
- cert-portal.siemens.com/productcert/pdf/ssa-663999.pdfmitrex_refsource_CONFIRM
- www.opendesign.com/security-advisoriesmitrex_refsource_MISC
- www.zerodayinitiative.com/advisories/ZDI-21-226/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.