CVE-2021-31784

Vulnerability

An out-of-bounds write vulnerability exists in the file-reading procedure of Open Design Alliance (ODA) Drawings SDK versions before 2021.6 when built in static configuration [1]. The bug is reachable when the SDK processes a specially crafted drawing file; no special configuration beyond using a static build of the SDK is required.

Exploitation

An attacker needs only the ability to supply a malicious drawing file to an application using the vulnerable SDK [1]. No authentication or elevated privileges are required. The attack vector is file-based: the victim opens or processes the crafted file, triggering the out-of-bounds write during parsing.

Impact

Successful exploitation can cause a crash (denial of service), or depending on the memory layout, may enable arbitrary code execution in the context of the affected application [1]. The impact is limited to the process hosting the ODA SDK.

Mitigation

Users should upgrade to ODA Drawings SDK version 2021.6 or later [1]. No workaround is described in the available references; if upgrading is not immediately possible, avoid opening untrusted drawing files.