CVE-2024-11524: 
IrfanView vulnerability analysis and mitigation

A remote code execution vulnerability has been identified in IrfanView's DXF file parsing functionality, tracked as CVE-2024-11524. The vulnerability affects IrfanView version 4.67 (both x64 and x86 versions) and was discovered through the Zero Day Initiative program (ZDI-CAN-24598). The issue was publicly disclosed on November 21, 2024 (ZDI Advisory).

The vulnerability stems from improper validation of user-supplied data during the parsing of DXF files, which can result in a memory corruption condition. It has been classified as an Out-of-bounds Write (CWE-787) vulnerability. The CVSS v3.1 base score is 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process on affected installations of IrfanView. The high CVSS score indicates potential severe impacts on system confidentiality, integrity, and availability (ZDI Advisory).

The vulnerability has been fixed in IrfanView version 4.70 with plugins version 4.70. Users are advised to upgrade to this version to mitigate the risk (ZDI Advisory).