search menu icon-carat-right cmu-wordmark

CERT Coordination Center

SketchUp Viewer buffer overflow vulnerability

Vulnerability Note VU#586958

Original Release Date: 2013-12-12 | Last Revised: 2013-12-13


SketchUp Viewer version 13.0.4124 is vulnerable to a buffer overflow when opening a malformed .SKP file.


CWE-121: Stack-based Buffer Overflow - CVE-2013-6038

SketchUp Viewer version 13.0.4124 is vulnerable to a stack buffer overflow when parsing a specially crafted .SKP file. When executed, it may allow a remote unauthenticated attacker to run arbitrary code in the context of the logged in user. It is unknown if other versions of this software are also affected.


By convincing a user to open a specially crafted .SKP file with SketchUp, a remote unauthenticated attacker could execute arbitrary code on a vulnerable system in the context of the logged in user.


We are currently unaware of a practical solution to this problem.

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of these vulnerabilities.

Use caution when opening email attachments

See US-CERT tip ST04-010 for details.

Vendor Information


SketchUp Affected

Notified:  September 24, 2013 Updated: December 13, 2013



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P
Temporal 4 E:POC/RL:U/RC:C
Environmental 1.0 CDP:N/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Christopher Gabriel of Telos Corporation for reporting this vulnerability.

This document was written by Chris King.

Other Information

CVE IDs: CVE-2013-6038
Date Public: 2013-12-12
Date First Published: 2013-12-12
Date Last Updated: 2013-12-13 18:34 UTC
Document Revision: 17

Sponsored by CISA.