CVE-2021-26237 – FastStone Image Viewer version 7.5 and earlier ... (How to Fix)

Q: What is the severity of CVE-2021-26237?

CVE-2021-26237 has a CVSS score of 7.8 (HIGH). FastStone Image Viewer version 7.5 and earlier contains a memory corruption vulnerability when processing malformed CUR cursor files. Attackers can exploit this to cause denial of service or potentially execute arbitrary code. Users who open untrusted CUR files with affected versions are at risk.

📋 TL;DR

FastStone Image Viewer version 7.5 and earlier contains a memory corruption vulnerability when processing malformed CUR cursor files. Attackers can exploit this to cause denial of service or potentially execute arbitrary code. Users who open untrusted CUR files with affected versions are at risk.

💻 Affected Systems

Products:

FastStone Image Viewer

Versions: 7.5 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable when processing CUR files.

📦 What is this software?

Image Viewer by Faststone

View all CVEs affecting Image Viewer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the user running FastStone Image Viewer, potentially leading to full system compromise.

🟠

Likely Case

Application crash (denial of service) when processing specially crafted CUR files.

🟢

If Mitigated

No impact if users don't open untrusted CUR files or have patched versions.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious file, but CUR files could be delivered via email or downloads.

🏢 Internal Only: MEDIUM - Similar risk profile, depends on user behavior with file attachments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open malicious file. Public proof-of-concept demonstrates crash, but code execution may require additional exploitation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.6 or later

Vendor Advisory: https://www.faststone.org/FSViewerDetail.htm

Restart Required: No

Instructions:

1. Download latest version from FastStone website. 2. Run installer. 3. Follow installation prompts. 4. Verify version is 7.6 or higher.

🔧 Temporary Workarounds

Disable CUR file association

windows

Remove FastStone Image Viewer as default handler for CUR files

Control Panel > Default Programs > Set Default Programs > Choose FastStone Image Viewer > Choose defaults for this program > Uncheck .cur

Block CUR files at perimeter

all

Filter CUR files at email gateways and web proxies

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of FastStone Image Viewer
Educate users to never open CUR files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Open FastStone Image Viewer, go to Help > About, check if version is 7.5 or earlier.

Check Version:

Not applicable - check via GUI Help > About menu

Verify Fix Applied:

After updating, verify version is 7.6 or higher in Help > About.

📡 Detection & Monitoring

Log Indicators:

Application crash logs from FSViewer.exe
Windows Event Logs with Application Error for FSViewer.exe

Network Indicators:

Unusual downloads of CUR files
Email attachments with CUR extensions

SIEM Query:

EventID=1000 AND SourceName="Application Error" AND ProcessName="FSViewer.exe"

📊 Metadata

CVE ID: CVE-2021-26237

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: March 18, 2021

Last Updated: November 21, 2024

🔗 References

https://voidsec.com/advisories/cve-2021-26237-faststone-image-viewer-v-7-5-user-mode-write-access-violation/ Third Party Advisory
https://voidsec.com/advisories/cve-2021-26237-faststone-image-viewer-v-7-5-user-mode-write-access-violation/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26237, you might also want to check these: