CVE-2022-40639: 
Ansys SpaceClaim vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2022-40639) was discovered in Ansys SpaceClaim 2022 R1, affecting the SKP file parsing functionality. The vulnerability was disclosed on September 14, 2022, and allows remote attackers to execute arbitrary code on affected installations (ZDI Advisory).

The vulnerability exists within the parsing of SKP files and results from the lack of validating the existence of an object prior to performing operations on the object. This use-after-free condition can be leveraged by attackers to execute code in the context of the current process. The vulnerability has been assigned a CVSS score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (ZDI Advisory).

Successful exploitation of this vulnerability allows attackers to execute arbitrary code on affected systems, potentially leading to complete system compromise. However, user interaction is required as the target must visit a malicious page or open a malicious file (ZDI Advisory).

The vulnerability has been fixed in Ansys SpaceClaim 2023 R2. Users of affected versions should upgrade to this patched version to mitigate the risk (ZDI Advisory).