{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/936962#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nTwo vulnerabilities have been identified in FastStone Image Viewer 8.3 that may allow remote code execution or control-flow corruption when processing specially crafted image files. The affected components include the JPEG 2000 (JP2) parser and the PSD file parser. An attacker can exploit these vulnerabilities by causing the application to automatically or interactively process malicious image files. \r\n\r\n### Description\r\nFastStone Image Viewer is a software tool for browsing, editing, and managing images, offering features like full‑screen viewing, batch processing, red‑eye removal, and a wide range of editing effects. It supports virtually all major image and RAW formats and includes conveniences like slideshows, comparison tools, scanner support, and screen capture.\r\n\r\n**CVE-2026-30040** A critical heap-based buffer overflow vulnerability exists in FastStone Image Viewer, versions 8.3 and earlier. The issue is triggered during the parsing of JPEG 2000 (JP2) files due to a malformed QCD (quantization default, `0xFF5C`) marker in the `FSViewer.exe` process. By exploiting this flaw, a remote attacker can overwrite the EIP (instruction pointer) and execute arbitrary code in the context of the current process via a crafted JP2 file.\r\n\r\nNotably, this issue does not require the victim to directly open the crafted JP2 file. When the application enumerates directories during automatic thumbnail generation, files within two directory levels are parsed by the JP2 decoder. If the malicious JP2 file is present within this enumeration range (for example in the user’s Downloads folder), the vulnerability is triggered automatically.\r\n\r\n**CVE-2026-30041** An integer overflow vulnerability exists in the PSD parser of FastStone Image Viewer, versions 8.3 and earlier. The vulnerability is caused by a lack of proper validation for the *height* value in PSD files, leading to a subsequent heap-based buffer overflow. Successful exploitation could allow a remote attacker to execute arbitrary code or cause a persistent denial-of-service (crash) via a crafted PSD file.\r\n\r\n### Impact\r\nSuccessful exploitation of CVE-2026-30040 could allow arbitrary code execution in the context of the user running FastStone Image Viewer. Additionally, an attacker could exploit CVE-2026-30041 to overwrite the instruction pointer and control the program's execution flow, crashing the application or potentially enabling arbitrary code execution. The impact severity depends on the privileges of the user running the application. Code executed under elevated permissions would result in significantly higher risk.\r\n\r\n### Solution\r\nUnfortunately, we were unable to reach the vendor for coordination, and a patch is not yet available. To limit the risk of this vulnerability, run the software using a restricted local account and enforce policies that prevent users from downloading or saving JP2 or PSD files from untrusted sources. \r\n\r\n### Acknowledgements\r\nThis vulnerability was disclosed by Sunghun Oh. This document was written by Bob Kemerer.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/936962"},{"url":"https://cwe.mitre.org/data/definitions/122.html","summary":"https://cwe.mitre.org/data/definitions/122.html"},{"url":"https://owasp.org/www-community/vulnerabilities/Buffer_Overflow","summary":"https://owasp.org/www-community/vulnerabilities/Buffer_Overflow"},{"url":"https://en.wikipedia.org/wiki/Heap_overflow","summary":"https://en.wikipedia.org/wiki/Heap_overflow"},{"url":"https://cwe.mitre.org/data/definitions/190.html","summary":"https://cwe.mitre.org/data/definitions/190.html"},{"url":"https://en.wikipedia.org/wiki/Integer_overflow","summary":"https://en.wikipedia.org/wiki/Integer_overflow"},{"url":"https://www.fortinet.com/resources/cyberglossary/remote-code-execution","summary":"https://www.fortinet.com/resources/cyberglossary/remote-code-execution"}],"title":"Multiple file parsing vulnerabilities in FastStone Image Viewer 8.3.0.0","tracking":{"current_release_date":"2026-06-22T18:41:47+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.42"}},"id":"VU#936962","initial_release_date":"2026-06-22 18:41:47.434913+00:00","revision_history":[{"date":"2026-06-22T18:41:47+00:00","number":"1.20260622184147.1","summary":"Released on 2026-06-22T18:41:47+00:00"}],"status":"final","version":"1.20260622184147.1"}},"vulnerabilities":[{"title":"An integer overflow vulnerability exists in the PSD parser of FastStone Image Viewer, versions 8.","notes":[{"category":"summary","text":"An integer overflow vulnerability exists in the PSD parser of FastStone Image Viewer, versions 8.3 and earlier. The vulnerability is caused by a lack of proper validation for the height value in PSD files, leading to a subsequent heap-based buffer overflow. Successful exploitation could allow a remote attacker to execute arbitrary code or cause a persistent denial-of-service (crash) via a crafted PSD file."}],"cve":"CVE-2026-30041","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#936962"}]},{"title":"A critical heap-based buffer overflow vulnerability exists in FastStone Image Viewer, versions 8.","notes":[{"category":"summary","text":"A critical heap-based buffer overflow vulnerability exists in FastStone Image Viewer, versions 8.3 and earlier. The issue is triggered during the parsing of JPEG 2000 (JP2) files due to a malformed QCD (quantization default, 0xFF5C) marker in the FSViewer.exe process. By exploiting this flaw, a remote attacker can overwrite the EIP (instruction pointer) and execute arbitrary code in the context of the current process via a crafted JP2 file.\r\n\r\nNotably, this issue does not require the victim to directly open the crafted JP2 file. When the application enumerates directories during automatic thumbnail generation, files within two directory levels are parsed by the JP2 decoder. If the malicious JP2 file is present within this enumeration range (for example in the user’s Downloads folder), the vulnerability is triggered automatically."}],"cve":"CVE-2026-30040","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#936962"}]}],"product_tree":{"branches":[]}}