Login Sign Up

CVE-2019-17249

7.8 HIGH

📋 TL;DR

CVE-2019-17249 is a memory corruption vulnerability in IrfanView's WSQ file parser that allows an attacker to execute arbitrary code. When a user opens a specially crafted WSQ image file, it triggers a write access violation that can lead to remote code execution. This affects all users of IrfanView 4.53 who open untrusted WSQ files.

💻 Affected Systems

Products:
  • IrfanView
Versions: 4.53 specifically (check if earlier versions are also vulnerable)
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with WSQ plugin/format support enabled. WSQ is a fingerprint image format not commonly used.

📦 What is this software?

Irfanview by Irfanview

View all CVEs affecting Irfanview →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the logged-in user, potentially leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash (denial of service) or limited code execution within IrfanView's process context.

🟢

If Mitigated

Application crash without code execution if exploit fails or memory protections are enabled.

🌐 Internet-Facing: LOW - IrfanView is typically not an internet-facing service, though malicious files could be delivered via web or email.
🏢 Internal Only: MEDIUM - Users opening malicious WSQ files from internal shares or email attachments could be compromised.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction to open a malicious file. The vulnerability is in the WSQ parsing code, making reliable exploitation possible but not trivial.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.54 and later

Vendor Advisory: https://www.irfanview.com/main_history.htm

Restart Required: No

Instructions:

1. Download IrfanView 4.54 or later from official website. 2. Run installer. 3. Choose 'Update' option if upgrading from previous version. 4. Complete installation wizard.

🔧 Temporary Workarounds

Disable WSQ plugin

windows

Remove or disable the WSQ plugin to prevent parsing of WSQ files

Move or delete WSQ.DLL from IrfanView plugins folder

File association removal

windows

Remove WSQ file association from IrfanView

In IrfanView: Options → Properties/Settings → Extensions → Uncheck WSQ

🧯 If You Can't Patch

  • Block WSQ files at email/web gateways using file extension filtering
  • Educate users not to open WSQ files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check IrfanView version via Help → About. If version is 4.53, it's vulnerable.

Check Version:

irfanview.exe /?

Verify Fix Applied:

Verify version is 4.54 or later in Help → About dialog.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes of IrfanView with access violation errors
  • Windows Event Logs showing IrfanView process termination

Network Indicators:

  • Downloads of WSQ files from untrusted sources
  • Email attachments with WSQ extensions

SIEM Query:

EventID=1000 OR EventID=1001 AND ProcessName="i_view32.exe" OR ProcessName="i_view64.exe"

📊 Metadata

CVE ID: CVE-2019-17249
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: October 8, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-17249, you might also want to check these:

CVE-2019-5684 10.0

This vulnerability in NVIDIA Windows GPU Display Drivers allows specially crafted DirectX shaders to...

Same vulnerability type (CWE-787)
CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)