CVE-2024-11534: 
IrfanView vulnerability analysis and mitigation

CVE-2024-11534 is a remote code execution vulnerability discovered in IrfanView software. The vulnerability was disclosed on November 21st, 2024, and affects IrfanView installations through version 4.67. This security flaw specifically involves the parsing of DXF files and requires user interaction, such as visiting a malicious page or opening a malicious file, to be exploited (ZDI Advisory).

The vulnerability stems from improper validation of user-supplied data during DXF file parsing, which can result in an out-of-bounds read past the end of an allocated buffer. The issue has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. Given the high CVSS score and the potential for code execution, this vulnerability poses a significant risk to affected systems (ZDI Advisory).

The vulnerability has been fixed in IrfanView version 4.70 with plugins version 4.70. Users are advised to upgrade to this version to mitigate the risk (ZDI Advisory).