CVE-2021-25176
Description
An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A NULL pointer dereference exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in ODA Drawings SDK before 2021.11 (and Siemens JT2Go) when rendering malformed DXF/DWG files causes crashes or potential RCE.
Vulnerability
A NULL pointer dereference exists in Open Design Alliance Drawings SDK versions before 2021.11 when processing malformed .DXF and .DWG files. The flaw lies in the rendering logic where a user-supplied pointer is not properly validated before dereference, leading to a crash. This issue also affects Siemens JT2Go, which uses the vulnerable SDK [2][3].
Exploitation
An attacker can trigger the vulnerability by convincing a target to open a specially crafted .DXF or .DWG file, either by visiting a malicious website or opening a malicious attachment. No prior authentication is required. The parsing code path is reachable without any special configuration. The vulnerability is remotely exploitable with user interaction [2][3].
Impact
Successful exploitation can lead to a denial of service (crash, exit, or restart) as described in the CVE description. However, the ZDI advisories [2][3] assign a CVSS score of 7.8 (High) and note that due to the nature of the untrusted pointer dereference, arbitrary code execution in the context of the current process may be possible, resulting in complete compromise of confidentiality, integrity, and availability.
Mitigation
Open Design Alliance addressed the issue in Drawings SDK version 2021.11. Affected users should update to that version or later. For Siemens JT2Go, users should apply the latest patches provided by Siemens. No workarounds are detailed in the available references.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Open Design Alliance/Drawings SDKdescription
- Range: <2021.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- cert-portal.siemens.com/productcert/pdf/ssa-155599.pdfmitrex_refsource_CONFIRM
- cert-portal.siemens.com/productcert/pdf/ssa-663999.pdfmitrex_refsource_CONFIRM
- www.opendesign.com/security-advisoriesmitrex_refsource_MISC
- www.zerodayinitiative.com/advisories/ZDI-21-221/mitrex_refsource_MISC
- www.zerodayinitiative.com/advisories/ZDI-21-222/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.