CVE-2024-28564 identifies a buffer overflow vulnerability in the FreeImage open source library, specifically version 3.19.0 [r1909]. The vulnerability resides in the Imf_2_2::CharPtrIO::readChars() function, which is responsible for reading character data from EXR image files. When processing crafted or malformed EXR images, this function can overflow its buffer, leading to memory corruption. The consequence of this overflow is a denial of service (DoS) condition, where the affected application or service crashes or becomes unresponsive. This vulnerability requires local attacker access, meaning the attacker must have the ability to run code or supply files locally to the vulnerable system. There is no requirement for user interaction or elevated privileges, which lowers the barrier to exploitation for local users. The vulnerability does not compromise confidentiality or integrity, as it does not allow code execution or data leakage, but it impacts availability by causing crashes. The CVSS 3.1 base score of 6.2 reflects a medium severity level, driven by the local attack vector and the impact on availability. No patches or fixes are currently linked, and no exploits have been reported in the wild. The underlying weakness is classified as CWE-120, a classic buffer overflow issue, which is a common and well-understood vulnerability type in software security.

The primary impact of CVE-2024-28564 is denial of service, which can disrupt services or applications relying on FreeImage for processing EXR images. Organizations that use FreeImage in image processing pipelines, media editing software, or any system that handles EXR format images locally are at risk. A successful exploit could cause application crashes, leading to downtime, loss of productivity, or interruption of automated workflows. Although the vulnerability does not allow remote exploitation or privilege escalation, insider threats or compromised local accounts could leverage this flaw to degrade system availability. In environments where image processing is critical, such as media production, scientific visualization, or graphics rendering, this could have operational consequences. The lack of known exploits in the wild reduces immediate risk, but the presence of a publicly disclosed vulnerability may invite future exploit development. Organizations should consider the risk in the context of their exposure to local users and the importance of uninterrupted image processing services.

To mitigate CVE-2024-28564, organizations should first verify if they use FreeImage version 3.19.0 [r1909] or earlier versions that include the vulnerable code. Since no official patch is currently available, temporary mitigations include restricting local user access to systems that process EXR images with FreeImage, thereby limiting the potential attacker base. Implement strict file validation and scanning policies to detect and block malformed or suspicious EXR files before processing. Consider sandboxing or isolating image processing tasks to contain potential crashes and prevent broader system impact. Monitor application logs for crashes or unusual behavior related to image processing. Engage with the FreeImage project or community to obtain updates or patches as they become available. Additionally, applying general security best practices such as least privilege for local users and maintaining system integrity can reduce exploitation likelihood. Once a patch is released, prioritize its deployment to fully remediate the vulnerability.