CVE-2024-11573: 
IrfanView vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2024-11573) was discovered in IrfanView's DXF file parsing functionality. The vulnerability was reported on July 24, 2024, and publicly disclosed on November 21, 2024. This security flaw affects IrfanView installations up to version 4.67 (both x64 and x86 versions) (Zero Day Initiative).

The vulnerability stems from improper validation of user-supplied data during DXF file parsing, which can result in a memory corruption condition. It has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-787 (Out-of-bounds Write) (NVD).

If successfully exploited, this vulnerability allows remote attackers to execute arbitrary code in the context of the current process on affected IrfanView installations. The impact could result in complete compromise of the affected system's confidentiality, integrity, and availability (Zero Day Initiative).

The vulnerability has been fixed in IrfanView version 4.70 with plugins version 4.70. Users are advised to upgrade to this version to mitigate the risk (Zero Day Initiative).