Description
XnSoft NConvert 7.230 is vulnerable to Use-After-Free via a crafted .tiff file
Published: 2026-03-23
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption, potential arbitrary code execution
Action: Patch
AI Analysis

Impact

The vulnerability is a use‑after‑free condition in XnSoft NConvert 7.230 that is triggered when the program processes a specially crafted TIFF file. The flaw occurs after the program frees memory that it later dereferences, which can lead to memory corruption and potentially arbitrary code execution if an attacker can supply the crafted file. This is a classic example of CWE‑416 and represents a medium severity risk to confidentiality, integrity, and availability of affected systems.

Affected Systems

The affected software is XnSoft's NConvert application, version 7.230. This version is distributed and documented on the official XnView website. No other versions or products are listed as affected in the provided data.

Risk and Exploitability

The CVSS score for this flaw is 6.2, indicating medium risk, while the EPSS score is below 1%, suggesting a low probability of widespread exploitation. The flaw is not listed in CISA’s KEV catalog. Because the trigger requires a crafted .tiff file, the likely attack vector is local or remote file processing, such as via an application that accepts user‑supplied TIFF files. No additional prerequisites are recorded, so an attacker needs access to a system running NConvert 7.230 to load a malicious file.

Generated by OpenCVE AI on March 26, 2026 at 17:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NConvert to the latest version released by XnSoft (any version after 7.230).
  • Avoid opening or converting unknown or untrusted TIFF files with the vulnerable version.
  • Verify the integrity of the NConvert installer and binaries by checking digital signatures or using official download sources.

Generated by OpenCVE AI on March 26, 2026 at 17:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Use-After-Free Vulnerability in XnSoft NConvert 7.230 via Crafted TIFF File

Thu, 26 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Xnview
Xnview nconvert
CPEs cpe:2.3:a:xnview:nconvert:7.230:*:*:*:*:*:*:*
Vendors & Products Xnview
Xnview nconvert

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Title Use-After-Free Vulnerability in XnSoft NConvert 7.230 via Crafted TIFF File

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Xnsoft
Xnsoft nconvert
Vendors & Products Xnsoft
Xnsoft nconvert

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Mon, 23 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description XnSoft NConvert 7.230 is vulnerable to Use-After-Free via a crafted .tiff file
References

Subscriptions

Xnsoft Nconvert
Xnview Nconvert
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-23T17:09:36.890Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30007

cve-icon Vulnrichment

Updated: 2026-03-23T17:09:29.681Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T17:16:49.083

Modified: 2026-03-26T15:30:13.473

Link: CVE-2026-30007

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:21:25Z

Weaknesses