CVE-2022-41199: 
SAP 3D Visual Enterprise Viewer vulnerability analysis and mitigation

A critical vulnerability (CVE-2022-41199) was discovered in SAP 3D Visual Enterprise Viewer version 9, related to improper memory management when processing Open Inventor Files (.iv, vrml.x3d). The vulnerability was disclosed on October 11, 2022, and received a CVSS v3.1 base score of 7.8 (High) (NVD).

The vulnerability stems from a lack of proper validation of user-supplied data length before copying it to a fixed-length stack-based buffer when parsing IV files. This can lead to stack-based buffer overflow conditions or dangling pointer reuse, potentially allowing for remote code execution. The vulnerability is classified under CWE-787 (Out-of-bounds Write) and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) (ZDI, NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process, potentially leading to complete system compromise. The vulnerability requires user interaction, as the target must open a malicious file (ZDI).

SAP has released security updates to address this vulnerability. Users are advised to apply the available patches as detailed in the SAP security advisory (ZDI).