Login Sign Up

CVE-2019-17258

7.8 HIGH

📋 TL;DR

CVE-2019-17258 is a memory corruption vulnerability in IrfanView's JPEG-LS decoder that allows an attacker to control a write address through data from a faulting address. This affects users of IrfanView 4.53 who open malicious JPEG-LS images. Attackers could potentially execute arbitrary code on the victim's system.

💻 Affected Systems

Products:
  • IrfanView
Versions: 4.53 specifically (check history for other potentially affected versions)
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is in the JPEG-LS plugin/decoder. All installations with this version are vulnerable when processing JPEG-LS images.

📦 What is this software?

Irfanview by Irfanview

View all CVEs affecting Irfanview →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/administrator privileges leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash (denial of service) or limited code execution in the context of the current user.

🟢

If Mitigated

Application crash with no code execution if DEP/ASLR protections are effective.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious file, but common in image viewing scenarios.
🏢 Internal Only: MEDIUM - Similar risk profile, but limited to internal attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user to open a malicious JPEG-LS file. Public research demonstrates the vulnerability but weaponized exploits may exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.54 and later

Vendor Advisory: https://www.irfanview.com/main_history.htm

Restart Required: No

Instructions:

1. Download latest IrfanView from official website. 2. Run installer. 3. Follow installation prompts. 4. Verify version is 4.54 or higher.

🔧 Temporary Workarounds

Disable JPEG-LS plugin

windows

Remove or disable the JPEG-LS plugin to prevent processing of vulnerable file format

Move or delete plugins\JPEG_LS.dll from IrfanView installation directory

File type association removal

windows

Remove IrfanView as default handler for JPEG-LS files

Control Panel > Default Programs > Set Associations > Remove .jls/.jpeg-ls from IrfanView

🧯 If You Can't Patch

  • Implement application whitelisting to block IrfanView execution
  • Use Group Policy to prevent opening of .jls/.jpeg-ls files with IrfanView

🔍 How to Verify

Check if Vulnerable:

Check IrfanView version via Help > About. If version is 4.53, system is vulnerable.

Check Version:

irfanview.exe /?

Verify Fix Applied:

Verify version is 4.54 or higher in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes in IrfanView with access violation in JPEG_LS.dll
  • Windows Event Logs showing IrfanView process termination

Network Indicators:

  • Downloads of .jls/.jpeg-ls files from untrusted sources
  • Unusual outbound connections after IrfanView execution

SIEM Query:

source="Windows Security" AND event_id=4688 AND process_name="i_view32.exe" OR process_name="i_view64.exe"

📊 Metadata

CVE ID: CVE-2019-17258
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: October 8, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-17258, you might also want to check these:

CVE-2019-5684 10.0

This vulnerability in NVIDIA Windows GPU Display Drivers allows specially crafted DirectX shaders to...

Same vulnerability type (CWE-787)
CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)