CVE-2024-9767: 
IrfanView vulnerability analysis and mitigation

CVE-2024-9767 is a remote code execution vulnerability discovered in IrfanView software. The vulnerability specifically affects the SID file parsing functionality and was disclosed on November 22, 2024. This security flaw impacts IrfanView installations, particularly version 4.66 for x64 systems (NVD, ZDI Advisory).

The vulnerability stems from improper validation of user-supplied data during the parsing of SID files, which can result in an out-of-bounds read past the end of an allocated buffer. The severity of this vulnerability is rated as HIGH with a CVSS v3.1 base score of 7.8 (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The vulnerability is tracked as ZDI-CAN-23277 (NVD, ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The impact is significant as it could lead to complete system compromise, though user interaction is required as the target must visit a malicious page or open a malicious file (ZDI Advisory).

A fix has been made available through a test version of IrfanView, which can be downloaded from http://www.irfanview.info/test/iview64_test.zip (ZDI Advisory).