CVE-2024-11514: 
IrfanView vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2024-11514) was discovered in IrfanView's ECW file parsing functionality. The vulnerability was reported on May 9, 2024, and publicly disclosed on November 21, 2024. This security flaw affects IrfanView installations and requires user interaction to be exploited (Zero Day Initiative).

The vulnerability stems from improper validation of user-supplied data length during ECW file parsing, which can lead to a heap-based buffer overflow condition. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write) (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process on affected IrfanView installations. The high CVSS score indicates potential severe impacts on system confidentiality, integrity, and availability (Zero Day Initiative).

The vulnerability has been fixed in IrfanView version 4.70 with plugins version 4.70. Users are advised to upgrade to this version to mitigate the risk (Zero Day Initiative).