CVE-2024-11510: 
IrfanView vulnerability analysis and mitigation

IrfanView WBZ plugin contains a stack-based buffer overflow vulnerability (CVE-2024-11510) in the parsing of WB1 files. The vulnerability was discovered by Minseo Kim of WHS WWW Team and was disclosed on November 21, 2024. This vulnerability affects IrfanView versions from 4.62 up to (excluding) 4.70 (ZDI Advisory).

The vulnerability exists within the parsing of WB1 files and results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability has been classified under CWE-787 (Out-of-bounds Write) and CWE-121 (Stack-based Buffer Overflow) (NVD).

Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView. The attacker can leverage this vulnerability to execute code in the context of the current process (ZDI Advisory).

The vulnerability has been fixed in IrfanView version 4.70 with plugins version 4.70. Users are advised to upgrade to this version or later to mitigate the vulnerability (ZDI Advisory).