A large number of memory vulnerabilities due to improper input validation in the PDF.dll plugin of IrfanView version 4.60 x64 by Irfan Skiljan allow attackers to execute code when a user opens a crafted PDF file. The PDF.dll plugin is not shipped with IrfanView by default and has to be downloaded and activated by the user first. The issues have been fixed in version 4.61 of IrfanView.

Credits / Discoverer

Philip Kolvenbach of Fraunhofer SIT

The research that has led to the discovery of CVE-2023-24304 has been funded in part by the German Federal Ministry of Education and Research and the Hessian Ministry of Higher Education, Research, Science and the Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE.