VU#936962: Multiple file parsing vulnerabilities in FastStone Image Viewer 8.3.0.0
Two vulnerabilities have been identified in FastStone Image Viewer 8.3. These flaws could allow for remote code execution or control-flow corruption. The issues affect the JPEG 2000 (JP2) parser and the PSD file parser. Attackers can exploit these by tricking the application into processing malicious image files. A heap-based buffer overflow in the JP2 parser, CVE-2026-30040, can be triggered by a malformed QCD marker. This allows arbitrary code execution, even without the user opening the file directly, if it's in the thumbnail enumeration range. An integer overflow in the PSD parser, CVE-2026-30041, results from improper height validation. This can lead to a heap-based buffer overflow, enabling code execution or denial-of-service. Exploitation could grant attackers arbitrary code execution in the user's context. The severity increases with the user's privileges. A patch is not yet available, and the vendor could not be reached for coordination. Users are advised to run the software with restricted accounts and block downloads of JP2 or PSD files from untrusted sources.