CISA issues notice on FastStone Image Viewer parsing flaws
FastStone Image Viewer version 8.3 is affected by two file-parsing vulnerabilities that can result in remote code execution or control-flow corruption when the application processes specially crafted image files. The issues involve the JPEG 2000 (JP2) parser and the PSD file parser, with outcomes that include arbitrary code execution or program crashes depending on user context.
For CVE-2026-30040, a critical heap-based buffer overflow occurs in FastStone Image Viewer versions 8.3 and earlier during JPEG 2000 (JP2) file parsing. The trigger involves a malformed QCD (quantization default, 0xFF5C) marker in the FSViewer.exe process, where exploiting the flaw allows a remote attacker to overwrite the EIP (instruction pointer) and execute arbitrary code in the context of the current process via a crafted JP2 file. This issue does not require the victim to directly open the crafted JP2 file; during automatic thumbnail generation, the application enumerates directories and files within two directory levels are parsed by the JP2 decoder, so the vulnerability triggers if the malicious JP2 file appears within that enumeration range. For CVE-2026-30041, an integer overflow exists in the PSD parser of FastStone Image Viewer versions 8.3 and earlier, caused by insufficient validation of the height value in PSD files, which then leads to a heap-based buffer overflow. Successful exploitation could allow a remote attacker to execute arbitrary code or cause a persistent denial-of-service (crash) via a crafted PSD file.
Successful exploitation of CVE-2026-30040 could allow arbitrary code execution in the context of the user running FastStone Image Viewer. In addition, an attacker could exploit CVE-2026-30041 to overwrite the instruction pointer and control the program's execution flow, crashing the application or potentially enabling arbitrary code execution. The impact severity depends on the privileges of the user running the application, and code executed under elevated permissions would result in higher risk.
A patch was not available at the time of the advisory. To limit risk, the guidance states to run the software using a restricted local account and enforce policies that prevent users from downloading or saving JP2 or PSD files from untrusted sources.
The advisory also notes that coordination with the vendor could not be completed, and it provides the disclosure and authorship information that the vulnerability was disclosed by Sunghun Oh and the document was written by Bob Kemerer.