CVE-2019-25328
Published: 12 February 2026
Summary
CVE-2019-25328 is a medium-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Xnview (inferred from references). Its CVSS base score is 6.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2019-25328 is a denial of service vulnerability in XnConvert version 1.82, specifically within its registration code input field. The flaw allows attackers to crash the application by pasting a 9000-byte buffer consisting of repeated characters into the field. It stems from a stack-based buffer overflow, as classified under CWE-121, and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The vulnerability can be exploited by remote attackers requiring no privileges or user interaction. By supplying the crafted input to the registration code field, attackers achieve a denial of service condition, resulting in an application crash.
Advisories and related resources include a proof-of-concept exploit at https://www.exploit-db.com/exploits/47801 and a VulnCheck advisory at https://www.vulncheck.com/advisories/xnconvert-denial-of-service. The vendor's site at https://www.xnview.com and applications page at https://www.xnview.com/en/apps/ provide further context on XnConvert.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19448
Vulnerability details
XnConvert 1.82 contains a denial of service vulnerability in its registration code input field that allows attackers to crash the application. Attackers can generate a 9000-byte buffer of repeated characters and paste it into the registration code field to trigger…
more
an application crash.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack buffer overflow in desktop app registration field directly enables application-layer DoS via crafted input (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Implements input validation at the registration code field to reject oversized 9000-byte buffers that trigger the stack-based buffer overflow crash.
Requires error handling that ignores invalid oversized inputs to the registration code field without compromising application availability via crash.
Mandates flaw remediation by applying patches or updates to address the specific stack buffer overflow in XnConvert 1.82.