CVE-2021-43275

Vulnerability

A use-after-free vulnerability exists in the DGN file reading procedure in Open Design Alliance Drawings SDK versions before 2022.8. The issue arises from the lack of validating the existence of an object prior to performing operations on it, leading to a use-after-free condition when processing specially crafted DGN files. [1]

Exploitation

An attacker can exploit this vulnerability by providing a malicious DGN file to a user or application using the affected SDK. No authentication is required; the victim only needs to open the crafted file. The attacker does not need any special network position beyond delivering the file.

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current process. This can lead to full compromise of the affected system, including data theft, malware installation, or further lateral movement.

Mitigation

The vulnerability is fixed in Open Design Alliance Drawings SDK version 2022.8, released in November 2021. Users should upgrade to this version or later. No workarounds are documented. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.