CVE-2019-13255

Vulnerability

XnView Classic version 2.48 (build 2.48.0.0, x86) contains a user-mode write access violation (AV) at address xnview+0x0000000000327464. The crash occurs when opening a specially crafted file, as demonstrated by a proof-of-concept file named id_000234_00 [1]. The exact nature of the malformed data is not disclosed, but the crash indicates improper memory handling.

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a malicious file using XnView Classic 2.48. No special permissions are required; the victim simply needs to open the file. The crash occurs immediately upon file parsing, as shown by the debugger output [1].

Impact

Successful exploitation causes a denial of service (crash) of the application. The vulnerability is classified as a user-mode write AV, which typically leads to application termination. There is no indication of arbitrary code execution from the available reference [1].

Mitigation

As of the disclosure date (2019-07-04), no official patch or updated version has been released to address this vulnerability. Users should exercise caution when opening files from untrusted sources. There is no known workaround. The vulnerability affects XnView Classic 2.48 only; users may consider upgrading to a later version if available [1].