CVE-2024-9727: 
Trimble SketchUp Viewer vulnerability analysis and mitigation

Trimble SketchUp Viewer contains a use-after-free vulnerability (CVE-2024-9727) that was discovered in the SKP file parsing functionality. The vulnerability was reported to the vendor on May 1, 2024, and was later published as a zero-day advisory on November 12, 2024 (ZDI Advisory).

The vulnerability exists within the parsing of SKP files in Trimble SketchUp Viewer. The specific flaw results from the lack of validating the existence of an object prior to performing operations on the object. This use-after-free condition has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (ZDI Advisory, NVD).

If successfully exploited, this vulnerability allows remote attackers to execute arbitrary code on affected installations of Trimble SketchUp Viewer. The code execution occurs in the context of the current process, potentially leading to full system compromise (ZDI Advisory).

Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application. As of the disclosure date, no official patch has been released by the vendor (ZDI Advisory).