CVE-2024-6819: 
IrfanView vulnerability analysis and mitigation

IrfanView PSP File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability affects IrfanView installations. The vulnerability was discovered and reported on February 13, 2024, and was publicly disclosed on July 26, 2024. This security flaw is tracked as CVE-2024-6819 and affects IrfanView version 4.66 x64 (ZDI Advisory, NVD).

The vulnerability exists within the parsing of PSP files and stems from improper validation of user-supplied data. This can result in a write past the end of an allocated buffer, classified as CWE-787 (Out-of-bounds Write). The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability allows attackers to execute arbitrary code in the context of the current process. The high CVSS score indicates that the vulnerability can lead to a complete compromise of the system's confidentiality, integrity, and availability, though user interaction is required (ZDI Advisory).

The vulnerability has been fixed with the release of an updated formats plugin. Users should download and install the updated plugin from: https://www.irfanview.net/plugins/formats_64.zip (ZDI Advisory).