CVE-2024-11542: 
IrfanView vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2024-11542) was discovered in IrfanView software, specifically affecting version 4.67 (x64 and x86). The vulnerability was disclosed on November 22, 2024, and involves a memory corruption issue in the DXF file parsing functionality (Zero Day Initiative).

The vulnerability exists within the parsing of DXF files in IrfanView. The specific flaw stems from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue is classified as CWE-787 (Out-of-bounds Write) and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) (NVD).

If successfully exploited, this vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView. The attacker can leverage this vulnerability to execute code in the context of the current process, potentially gaining control over the affected system (Zero Day Initiative).

The vulnerability has been fixed in IrfanView version 4.70 with plugins version 4.70. Users are advised to upgrade to this version to mitigate the risk (Zero Day Initiative).