CVE-2024-6816 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-6816?

CVE-2024-6816 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious PSP files in IrfanView. Attackers can gain control of the affected system through a heap-based buffer overflow during PSP file parsing. All IrfanView users who open untrusted PSP files are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious PSP files in IrfanView. Attackers can gain control of the affected system through a heap-based buffer overflow during PSP file parsing. All IrfanView users who open untrusted PSP files are affected.

💻 Affected Systems

Products:

IrfanView

Versions: Versions prior to 4.67

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All Windows versions running vulnerable IrfanView versions are affected. The vulnerability requires user interaction to open malicious files.

📦 What is this software?

Irfanview by Irfanview

View all CVEs affecting Irfanview →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's machine, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Malware installation or system compromise when users open malicious PSP files from untrusted sources like email attachments or downloads.

🟢

If Mitigated

Limited impact with proper application sandboxing and user awareness preventing malicious file execution.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction but is technically straightforward once a malicious PSP file is crafted. The ZDI advisory suggests weaponization is likely given the nature of the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: IrfanView 4.67 or later

Vendor Advisory: https://www.irfanview.com/main_history.htm

Restart Required: No

Instructions:

1. Download latest IrfanView from official website
2. Run installer and follow prompts
3. Verify installation of version 4.67 or higher

🔧 Temporary Workarounds

Disable PSP file association

windows

Remove IrfanView as default handler for PSP files to prevent automatic opening

Control Panel > Default Programs > Set Default Programs > Select IrfanView > Choose defaults for this program > Uncheck .psp

Application sandboxing

windows

Run IrfanView in restricted environment to limit potential damage

🧯 If You Can't Patch

Implement application whitelisting to block IrfanView execution
Deploy email/web filtering to block PSP file attachments and downloads

🔍 How to Verify

Check if Vulnerable:

Check IrfanView version via Help > About. Versions below 4.67 are vulnerable.

Check Version:

irfanview.exe /?

Verify Fix Applied:

Confirm IrfanView version is 4.67 or higher in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

IrfanView crash logs with memory access violations
Windows Application Error events related to IrfanView

Network Indicators:

Downloads of PSP files from suspicious sources
Unusual outbound connections after PSP file opening

SIEM Query:

source="*irfanview*" AND (event_id=1000 OR event_id=1001) OR file_extension=".psp" AND process_name="irfanview.exe"

📊 Metadata

CVE ID: CVE-2024-6816

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: November 22, 2024

Last Updated: December 18, 2024

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-24-968/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6816, you might also want to check these: