CVE-2021-46641
Description
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DGN file. Crafted data in a DNG file can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15513.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote code execution vulnerability in Bentley View 10.15.0.75 caused by a DGN file out-of-bounds read, exploitable with user interaction.
Vulnerability
The vulnerability exists in the DGN file parsing component of Bentley View version 10.15.0.75 (and other affected versions prior to 10.16.02.*). A specially crafted DGN file can trigger a read past the end of an allocated buffer during parsing, leading to memory corruption. This flaw is part of a larger class of out-of-bounds vulnerabilities discovered in MicroStation and MicroStation-based applications [1][2].
Exploitation
An attacker must convince a user to open a malicious DGN file or visit a malicious page that invokes the vulnerable parser. No special privileges are required, and the attack is local (user interaction is the only prerequisite). The crafted data in the DGN file causes the parser to read beyond the bounds of an allocated buffer, potentially corrupting memory in a controlled way [1][2].
Impact
Successful exploitation could allow an attacker to execute arbitrary code in the context of the current process. This could lead to full compromise of the affected system, including confidentiality, integrity, and availability (CVSS v3.1 score 7.8) [1][2].
Mitigation
Bentley has released a fix in version 10.16.02.* of Bentley View and MicroStation-based applications. Users should update to the latest version as soon as possible. As a workaround, only open DGN files from trusted sources [2]. The advisory (BE-2021-0009) was published on 2021-12-07, and the ZDI advisory (ZDI-22-228) was published on 2022-01-31 [1][2]. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 10.15.0.75
- Bentley/Viewv5Range: 10.15.0.75
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.bentley.com/en/common-vulnerability-exposure/BE-2021-0009mitrex_refsource_MISC
- www.zerodayinitiative.com/advisories/ZDI-22-228/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.