Unpatched Code-Execution Flaws in FastStone Image Viewer: CVE-2026-30040 / 30041 — No Fix Yet
FastStone Image Viewer (8.3.0.0 and earlier), a free image viewer, has two flaws (CVE-2026-30040 / 30041) that let a crafted image take over a PC; the former triggers from automatic thumbnail generation alone. The vendor is unreachable and no patch exists, so mitigations — not processing untrusted images — are essential.
Makoto Horikawa
Backend Engineer / AWS / Django
FastStone Image Viewer (8.3.0.0 and earlier), a free image viewer, has two flaws (CVE-2026-30040 / 30041) that let a crafted image take over a PC; the former triggers from automatic thumbnail generation alone. The vendor is unreachable and no patch exists, so mitigations — not processing untrusted images — are essential.
FastStone Image Viewer, a free image viewer and manager in wide use, has flaws that can let a crafted image file take over a PC. They are tracked as CVE-2026-30040 and CVE-2026-30041. In Japan, JVN (JVNVU#98582044) issued an advisory on June 23, 2026, and the U.S. CERT/CC tracks it as VU#936962.
What demands extra caution is that no fixed version (patch) is available. Per CERT/CC, the vendor could not be reached and there is no timeline for a fix. Affected: FastStone Image Viewer 8.3.0.0 and earlier. CVE-2026-30040 is especially nasty because it triggers just from automatic thumbnail generation when a folder is opened — without the user even clicking an image. For now, protect yourself by not processing untrusted image files.
| Software | FastStone Image Viewer 8.3.0.0 and earlier |
| CVEs | CVE-2026-30040 / CVE-2026-30041 (JVNVU#98582044) |
| Type | Heap buffer overflow Integer overflow |
| What can happen | Arbitrary code execution (current user privileges) |
| Fix status | No patch (mitigate instead) |
| Published | June 2026 (JVN / CERT/CC) |
Who is at risk, and what is the damage
The target is an attacker who gets a FastStone Image Viewer user to open a crafted image file, or slips one into a folder they will browse. Email attachments, download sites, shared folders, USB sticks — there are countless ways images arrive. The trick lands where you accept something as "just an image."
The scary part is how easily it triggers. CVE-2026-30040 can be exploited simply by FastStone generating thumbnails (the small previews) for a folder that contains the crafted file — without even opening the image. The other, CVE-2026-30041, triggers when a crafted PSD (Photoshop) file is processed. On success, the attacker can run arbitrary programs on that PC, at the privileges of the logged-in user.
The damage can extend to theft of personal files like photos and documents and saved credentials, takeover of the PC, and from there a foothold for ransomware or intrusion into the internal network. Crucially, because no patch exists, the usual fix of "just update to the latest version" is not available — which is why the mitigations below matter.
What is happening, technically
CVE-2026-30040 is a heap buffer overflow (CWE-122). Per CERT/CC's VU#936962, it occurs while automatic thumbnail generation enumerates a directory and processes files within two levels; a write beyond the allocated size can overwrite the instruction pointer (EIP) that decides where the program runs, leading to arbitrary code execution.
CVE-2026-30041 stems from an integer overflow (CWE-190) that in turn causes a heap buffer overflow. It triggers when a crafted PSD file is processed and, by controlling the instruction pointer, can lead to code execution or a crash (denial of service). In both cases, the root cause is the software failing to safely handle malformed data hidden inside an image.
Confirmed vs. still unknown
✓ Confirmed facts
? Not yet confirmed
- ?Whether exploited in the wild — not on CISA KEV at the time of writing
- ?When a fix will ship — the vendor is unreachable, so there is no timeline
What to do now
With no patch, the baseline is to avoid letting dangerous files be processed. CERT/CC recommends not downloading or processing untrusted JP2 (JPEG 2000) or PSD image files, and running under a limited (non-administrator) account. Even if exploited, that keeps the damage within the current user's privileges.
In addition, do not open folders of unknown images in FastStone (to avoid automatic thumbnail generation), and do not open unexpected attached images. For files you truly must inspect, handle them in an isolated environment or a different viewer. If your organization uses FastStone widely, consider an alternative viewer until a fix appears, and review how the thumbnail feature is used. It is also worth checking the vendor's site periodically for a released fix.
Summary
FastStone Image Viewer 8.3.0.0 and earlier have two flaws (CVE-2026-30040 / CVE-2026-30041) that can lead to arbitrary code execution via a crafted image, and the former can trigger from automatic thumbnail generation alone. With no patch available, the key is self-defense through mitigations: do not process untrusted images, and run under a limited account.
That "just an image" can be an entry point is an easily overlooked risk. Until a fix appears, pay extra attention to where the images you receive come from.