CVE-2024-11522: 
IrfanView vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2024-11522) was discovered in IrfanView affecting version 4.67 (x64 and x86). The vulnerability was disclosed on November 21, 2024, and is related to the parsing of DXF files. The flaw stems from improper validation of user-supplied data during DXF file parsing, which can lead to memory corruption (Zero Day Initiative).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The flaw is categorized under CWE-787 (Out-of-bounds Write) and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). The vulnerability specifically occurs during the processing of DXF files, where insufficient validation of user input can trigger a memory corruption condition (NVD, Zero Day Initiative).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The attack requires user interaction, specifically opening a malicious file or visiting a malicious page. The vulnerability affects both confidentiality and integrity of the system, with potential for complete compromise of the affected application (Zero Day Initiative).

The vulnerability has been fixed in IrfanView version 4.70 with plugins version 4.70. Users are advised to upgrade to this version to protect against potential exploitation (Zero Day Initiative).