CVE-2021-29362 – A buffer overflow vulnerability in IrfanView's ... (How to Fix)

Q: What is the severity of CVE-2021-29362?

CVE-2021-29362 has a CVSS score of 7.8 (HIGH). A buffer overflow vulnerability in IrfanView's RLE file parser allows attackers to execute arbitrary code by tricking users into opening a specially crafted RLE image file. This affects users of IrfanView 4.57 who open untrusted RLE files, potentially leading to complete system compromise.

📋 TL;DR

A buffer overflow vulnerability in IrfanView's RLE file parser allows attackers to execute arbitrary code by tricking users into opening a specially crafted RLE image file. This affects users of IrfanView 4.57 who open untrusted RLE files, potentially leading to complete system compromise.

💻 Affected Systems

Products:

IrfanView

Versions: 4.57 (specific version mentioned in CVE)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the RLE file format handler within FORMATS!ReadRAS_W function. All installations of IrfanView 4.57 are vulnerable when processing RLE files.

📦 What is this software?

Irfanview by Irfanview

View all CVEs affecting Irfanview →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/administrator privileges leading to full system compromise, data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation or arbitrary code execution in the context of the current user when opening malicious RLE files from email attachments or downloads.

🟢

If Mitigated

Limited impact if user runs with restricted privileges, has application sandboxing, or doesn't process untrusted RLE files.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious file, but common attack vectors include email attachments and malicious websites.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared network drives containing malicious RLE files.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public research available with proof-of-concept. Exploitation requires user to open malicious RLE file but doesn't require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: IrfanView 4.58 or later

Vendor Advisory: https://www.irfanview.com/main_history.htm

Restart Required: No

Instructions:

1. Download latest IrfanView from official website. 2. Run installer. 3. Follow installation prompts. 4. Verify version is 4.58 or higher.

🔧 Temporary Workarounds

Disable RLE file association

windows

Remove IrfanView as default handler for .rle files to prevent automatic exploitation

Control Panel > Default Programs > Set Associations > Find .rle > Change to Notepad or remove association

Application sandboxing

windows

Run IrfanView in restricted environment to limit exploit impact

🧯 If You Can't Patch

Block RLE files at email gateways and web proxies
Implement least privilege - run IrfanView with standard user accounts only

🔍 How to Verify

Check if Vulnerable:

Check IrfanView version via Help > About. If version is 4.57, system is vulnerable.

Check Version:

irfanview.exe /?

Verify Fix Applied:

Verify IrfanView version is 4.58 or higher via Help > About menu.

📡 Detection & Monitoring

Log Indicators:

Process creation from IrfanView with suspicious command-line arguments
Crash logs from IrfanView with RLE file references

Network Indicators:

Downloads of .rle files from untrusted sources
Email attachments with .rle extensions

SIEM Query:

process_name="i_view32.exe" OR process_name="i_view64.exe" AND (file_extension=".rle" OR cmdline_contains="rle")

📊 Metadata

CVE ID: CVE-2021-29362

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: September 28, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/moshekaplan/Research/tree/main/IrfanView Third Party Advisory
https://github.com/moshekaplan/Research/tree/main/IrfanView Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29362, you might also want to check these: