CVE-2025-7266 Overview
CVE-2025-7266 is a memory corruption vulnerability in the IrfanView CADImage Plugin. The flaw resides in the plugin's DXF file parser, which fails to properly validate user-supplied data. Attackers can craft a malicious DXF file that triggers memory corruption when opened. Successful exploitation allows arbitrary code execution in the context of the current process. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-26174 and is tracked under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Critical Impact
A crafted DXF file opened in IrfanView with the CADImage Plugin enables remote code execution under the user's privileges, with no authentication required beyond local user interaction.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
- IrfanView (x86 and x64) with the CADImage Plugin installed
- Windows hosts opening DXF files through IrfanView
Discovery Timeline
- 2025-07-21 - CVE-2025-7266 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7266
Vulnerability Analysis
The vulnerability exists in the DXF (Drawing Exchange Format) file parsing logic of the CADImage Plugin distributed with IrfanView. DXF is an ASCII or binary CAD interchange format that contains group codes describing geometric entities, tables, and blocks. The plugin processes these structures to render CAD drawings inside IrfanView. The parser does not adequately validate length or size fields supplied within the DXF file before using them in memory operations. An attacker who controls the file contents can drive the parser into an out-of-bounds or otherwise corrupted memory state. The resulting condition is sufficient to hijack control flow and execute attacker-supplied code.
Root Cause
The root cause is missing validation of user-supplied data inside the DXF parsing routines, classified under [CWE-119]. Untrusted size or offset values from the DXF stream are used in buffer operations without proper bounds checking, producing a memory corruption condition. See the Zero Day Initiative Advisory ZDI-25-514 for additional technical context.
Attack Vector
Exploitation requires user interaction. The target must open a malicious DXF file in IrfanView with the CADImage Plugin installed, or visit a page that delivers and triggers the file. The attack runs locally in the IrfanView process, so the attacker inherits the privileges of the user opening the file. Common delivery methods include phishing emails with DXF attachments, drive-by downloads, and file-share staging in environments where engineering or CAD-adjacent users routinely preview DXF files.
No verified proof-of-concept code is published. The vulnerability mechanism is described in prose based on the ZDI advisory; refer to the Zero Day Initiative Advisory ZDI-25-514 for vendor and disclosure details.
Detection Methods for CVE-2025-7266
Indicators of Compromise
- Unexpected i_view32.exe or i_view64.exe child processes spawning command shells, powershell.exe, or rundll32.exe
- DXF files arriving via email attachments, browser downloads, or shared drives immediately preceding suspicious process activity
- Crashes or access violations recorded in Windows Event Logs for the IrfanView process after opening a DXF file
- Outbound network connections originating from the IrfanView process to unfamiliar hosts
Detection Strategies
- Hunt for IrfanView processes loading CADImage.dll followed by anomalous module loads or memory allocations marked executable
- Correlate DXF file open events with subsequent process creation events under the same user session
- Alert on IrfanView writing executables, scripts, or scheduled tasks to disk
Monitoring Recommendations
- Monitor endpoint telemetry for IrfanView process crashes and Windows Error Reporting entries referencing the CADImage plugin
- Track DXF file delivery through email gateways and web proxies, especially from external senders
- Review Sysmon Event ID 1 (process create) and Event ID 7 (image load) for the IrfanView process tree
How to Mitigate CVE-2025-7266
Immediate Actions Required
- Inventory endpoints running IrfanView and identify systems with the CADImage Plugin installed
- Restrict opening of DXF files from untrusted sources until a fixed plugin version is deployed
- Block or quarantine DXF attachments at email and web gateways for users who do not require CAD interchange files
- Remove the CADImage Plugin from systems that do not have a business need to render DXF files
Patch Information
At the time of writing, no vendor advisory URL is referenced in the NVD entry. Administrators should monitor the CADSoftTools CADImage advisory channel and the IrfanView plugin download page for an updated CADImage Plugin release that addresses CVE-2025-7266, then deploy the fixed version to all affected x86 and x64 installations.
Workarounds
- Uninstall the CADImage Plugin from IrfanView installations where DXF rendering is not required
- Configure file associations so DXF files do not open automatically in IrfanView
- Apply application allow-listing and attack surface reduction rules that block IrfanView from spawning child processes such as cmd.exe or powershell.exe
- Run IrfanView under a standard user account and avoid opening DXF files received from unverified sources
# Configuration example: block IrfanView from spawning child processes via Windows AppLocker / WDAC equivalents
# PowerShell example to remove file association for .dxf in the current user hive
Reg delete "HKCU\Software\Classes\.dxf" /f
Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dxf\UserChoice" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

