CVE-2012-0278

critical

Published 2012-04-18 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

10.0

Description

Heap-based buffer overflow in the FlashPix PlugIn before 4.3.4.0 for IrfanView might allow remote attackers to execute arbitrary code via a .fpx file containing a crafted FlashPix image that is not properly handled during decompression.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-18739 dos windows verified text · 2 KB

Francis Provencher · 2012-04-14

IrfanView FlashPix PlugIn - Decompression Heap Overflow

text exploit Source: Exploit-DB

#####################################################################################

Application:  IrfanView FlashPix PlugIn Decompression Heap Overflow

Platforms:   Windows

Secunia Number:   SA48772  

{PRL}:   2012-08

Author:   Francis Provencher (Protek Research Lab's)

Website:   http://www.protekresearchlab.com/

Twitter:   @ProtekResearch

#####################################################################################

1) Introduction
2) Timeline
3) Technical details
4) PoC


#####################################################################################

===============
1) Introduction
===============

IrfanView is a freeware/shareware image viewer for Microsoft Windows that can view, edit, and convert image files

and play video/audio files. It is noted for its small size, speed, ease of use, and ability to handle a wide variety of graphic

file formats, and has some image creation and painting capabilities. The software was first released in 1996.

IrfanView is free for non-commercial use; commercial use requires paid registration.

#####################################################################################

============
2) Timeline
============


2012-04-06 - Vulnerability reported to secunia
2012-04-13 - Coordinated public release of advisory

#####################################################################################

=================
3) Technical details
=================

The vulnerability is caused due to insufficient validation when decompressing FlashPix images

and can be exploited to cause a heap-based buffer overflow via a specially crafted FPX file.

#####################################################################################

=============
4) The PoC
=============

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19960.fpx


###############################################################################

Application impact

Vendor	Product	Versions
irfanview	flashpix_plugin	`{"endIncluding":"4.33"}`
irfanview	flashpix_plugin	`4.32`
irfanview	irfanview

References

CWEs

CWE-119

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.