CVE-2023-26495

Vulnerability

The vulnerability resides in the Open Design Alliance Drawings SDK before version 2024.1. A specially crafted DWG file can trigger a use-after-free condition, where the SDK incorrectly reuses an object that has already been freed [1]. The issue arises during parsing of malformed DWG data, leading to a dangling pointer reference.

Exploitation

An attacker must deliver a malicious DWG file to a user or application that relies on the vulnerable SDK. No special network position or authentication is required beyond the ability to open the file. When the SDK processes the crafted DWG, it frees an object but later accesses it through a stale pointer, corrupting memory [1]. The attacker can chain this with other vulnerabilities to achieve control.

Impact

Successful exploitation can lead to arbitrary code execution in the context of the application using the ODA Drawings SDK. This compromises confidentiality, integrity, and availability, potentially allowing full system compromise [1].

Mitigation

The issue is fixed in ODA Drawings SDK version 2024.1 and later. Users should update to the latest version available from the vendor [1]. No workaround is provided; updating the SDK is the recommended mitigation.