CVE-2024-9258: 
IrfanView vulnerability analysis and mitigation

IrfanView SID File Parsing Uninitialized Pointer Remote Code Execution Vulnerability (CVE-2024-9258) is a security flaw discovered in IrfanView software. The vulnerability was disclosed on November 22, 2024, affecting IrfanView version 4.66 x64. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView when users interact with malicious content (Zero Day Initiative).

The vulnerability exists within the parsing of SID files and results from the lack of proper initialization of a pointer prior to accessing it. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-824 (Access of Uninitialized Pointer) (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The high CVSS score indicates potential severe impacts on system confidentiality, integrity, and availability when successfully exploited (Zero Day Initiative).

A fix has been made available in the test version of IrfanView, which can be downloaded from http://www.irfanview.info/test/iview64_test.zip (Zero Day Initiative).