CVE-2019-12893

Vulnerability

Alternate Pic View version 2.600 contains a user mode write access violation vulnerability in the PicViewer!PerfgrapFinalize+0xa8868 function. The issue manifests when processing a specially crafted image file, triggering a memory write to an invalid address (0x01000003) and causing the application to crash. The crash was demonstrated using fuzzed samples [1].

Exploitation

An attacker can trigger the vulnerability by providing a malicious image file (e.g., via fuzzing) to Alternate Pic View 2.600 and opening it in the viewer. No special authentication or network position is required; the attack is local and relies on the user opening the crafted file. The debugger log shows the write fault at PicViewer!PerfgrapFinalize+0xa8868 [1].

Impact

Successful exploitation results in a denial-of-service (DoS) state, as the application crashes due to the write access violation. The crash may corrupt memory and could potentially be leveraged for arbitrary code execution in certain contexts, though no public proof-of-concept demonstrates such escalation beyond the crash [1].

Mitigation

No official fix or updated version has been released by the vendor. Affected users should consider discontinuing use of Alternate Pic View version 2.600 or replacing it with a similar tool that is actively maintained. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the assessment date.