Login Sign Up

CVE-2013-3486

9.6 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2013-3486 is an integer overflow vulnerability in IrfanView's FlashPix plugin version 4.3.4.0 that allows remote attackers to execute arbitrary code via a specially crafted FlashPix (.FPX) image file. Users who open malicious FPX files with vulnerable IrfanView installations are affected.

💻 Affected Systems

Products:
  • IrfanView FlashPix Plugin
Versions: 4.3.4.0
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires user interaction to open malicious FPX file. All Windows versions supported by IrfanView are affected.

📦 What is this software?

Flashpix Plugin by Irfanview

View all CVEs affecting Flashpix Plugin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/administrator privileges leading to complete system compromise, data theft, and lateral movement.

🟠

Likely Case

Remote code execution with user privileges leading to malware installation, data exfiltration, and persistence establishment.

🟢

If Mitigated

Limited impact if application runs with minimal privileges, sandboxed, or network access is restricted.

🌐 Internet-Facing: LOW with brief explanation
🏢 Internal Only: MEDIUM with brief explanation

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user to open malicious FPX file. Public exploit code exists in security databases.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: IrfanView 4.36 or later

Vendor Advisory: http://www.irfanview.com/main_history.htm

Restart Required: No

Instructions:

1. Download latest IrfanView from official website. 2. Run installer. 3. Select 'Update' option if upgrading. 4. Complete installation wizard.

🔧 Temporary Workarounds

Disable FlashPix plugin

windows

Remove or rename the FlashPix plugin file to prevent IrfanView from loading it.

rename "C:\Program Files\IrfanView\Plugins\FORMATS\FlashPix.dll" "FlashPix.dll.disabled"

Block FPX file association

windows

Remove FPX file type association with IrfanView in Windows registry.

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx" /f

🧯 If You Can't Patch

  • Run IrfanView with restricted user privileges (not administrator)
  • Implement application whitelisting to prevent execution of unauthorized code

🔍 How to Verify

Check if Vulnerable:

Check IrfanView Help > About dialog for version number. If version is 4.35 or earlier with FlashPix plugin 4.3.4.0, system is vulnerable.

Check Version:

"C:\Program Files\IrfanView\i_view32.exe" /?

Verify Fix Applied:

Verify IrfanView version is 4.36 or later. Check that FlashPix.dll plugin file version has been updated.

📡 Detection & Monitoring

Log Indicators:

  • IrfanView crash logs with access violation in FlashPix.dll
  • Windows Application Error events with faulting module FlashPix.dll

Network Indicators:

  • Downloads of FPX files from untrusted sources
  • Unusual outbound connections after FPX file opening

SIEM Query:

source="windows" AND event_id=1000 AND process_name="i_view32.exe" AND faulting_module="FlashPix.dll"

📊 Metadata

CVE ID: CVE-2013-3486
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-190
Published: January 27, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2013-3486, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)