CVE-2024-9259: 
IrfanView vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2024-9259) was discovered in IrfanView affecting the SID file parsing functionality. The vulnerability was disclosed on November 22, 2024, and affects IrfanView version 4.66 x64. This security flaw allows remote attackers to execute arbitrary code on affected installations, though user interaction is required through visiting a malicious page or opening a malicious file (ZDI Advisory).

The vulnerability exists within the parsing of SID files and stems from improper validation of user-supplied data, which can result in an out-of-bounds write past the end of an allocated buffer. The severity is rated as HIGH with a CVSS v3.1 base score of 7.8 (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The vulnerability is classified as CWE-787 (Out-of-bounds Write) (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. Given the high CVSS score and the potential for code execution, this vulnerability poses a significant risk to affected systems (ZDI Advisory).

A fix has been made available in the test version of IrfanView, which can be downloaded from http://www.irfanview.info/test/iview64_test.zip (ZDI Advisory).