CVE-2024-11521: 
IrfanView vulnerability analysis and mitigation

IrfanView DJVU File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2024-11521) was discovered and disclosed on November 21, 2024. This vulnerability affects IrfanView installations, specifically version 4.67 for both x64 and x86 architectures. The vulnerability requires user interaction, where the target must visit a malicious page or open a malicious file to trigger the exploit (Zero Day Initiative).

The vulnerability exists within the parsing of DJVU files and stems from the lack of validating the existence of an object prior to performing operations on the object. This use-after-free condition can be exploited to execute arbitrary code in the context of the current process. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 HIGH with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Zero Day Initiative, NVD).

If successfully exploited, this vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView. The impact includes potential unauthorized code execution with the same privileges as the current process, which could lead to system compromise (Zero Day Initiative).

The vulnerability has been fixed in IrfanView version 4.70 with plugins version 4.70. Users are advised to upgrade to this version to mitigate the risk (Zero Day Initiative).