CVE-2019-12894

Vulnerability

Alternate Pic View version 2.600 contains a read access violation at the instruction pointer after a call from PicViewer!PerfgrapFinalize+0x00000000000a9a1b. The crash is triggered when a malformed image file is opened, leading to an invalid memory access. The exact conditions required to reach the vulnerable code path are not fully detailed, but the issue is reproduced by opening a specially crafted file. [1]

Exploitation

An attacker must provide a malformed image file (e.g., a fuzzed sample) that, when opened by the user in Alternate Pic View, triggers the read access violation. The exploit requires no special network position or authentication beyond the ability to deliver the file to the target. According to the available reference, the crash occurs immediately upon parsing the file, with no user interaction beyond opening the file. [1]

Impact

Successful exploitation results in a denial-of-service condition due to application crash. The read access violation does not appear to allow code execution or privilege escalation based on the available information. The crash manifests as an instruction pointer (EIP) pointing to an invalid memory location (0xc0000000). [1]

Mitigation

As of the publication date (2019-06-19), no official patch or fixed version has been released for Alternate Pic View 2.600. The application may be abandoned or unmaintained. Users should avoid opening untrusted image files with Alternate Pic View and consider using an alternative, supported image viewer. No workaround is provided in the references. [1]