CVE-2024-28565 identifies a buffer overflow vulnerability in the FreeImage open source library version 3.19.0, specifically within the psdParser::ReadImageData() function responsible for reading PSD (Photoshop Document) image data. The vulnerability arises when the function improperly handles image data from PSD files, leading to a buffer overflow condition. This flaw can be exploited by a local attacker with low privileges to cause a denial of service (DoS) by crashing the application or process that uses FreeImage to parse PSD images. The attack vector is local, requiring the attacker to have access to the system and the ability to supply a malicious PSD file. No user interaction is necessary, and the attack complexity is low, meaning the exploit does not require advanced conditions or timing. The vulnerability does not allow for confidentiality or integrity breaches, as it does not enable code execution or data leakage, but it impacts availability by causing application crashes. Currently, there are no known exploits in the wild, and no official patches or updates have been released to address this issue. The vulnerability is classified under CWE-120 (Classic Buffer Overflow), a common weakness that can lead to memory corruption. Given FreeImage's use in various image processing applications and software, this vulnerability could affect any system that processes PSD files using the vulnerable FreeImage version. The medium CVSS score of 5.5 reflects the moderate risk posed by this vulnerability, balancing the local attack requirement and the denial of service impact.

The primary impact of CVE-2024-28565 is denial of service, which can disrupt availability of applications or services that rely on FreeImage to process PSD files. Organizations using FreeImage in image processing pipelines, content management systems, or desktop applications that handle PSD images may experience crashes or service interruptions if exposed to malicious PSD files. While the vulnerability does not allow for privilege escalation, data theft, or code execution, repeated exploitation could degrade system reliability and user trust. In environments where image processing is automated or integrated into critical workflows, such disruptions could lead to operational delays or increased support costs. Since exploitation requires local access, remote attackers cannot directly leverage this flaw unless they have already compromised a system or can trick users into opening malicious PSD files locally. The absence of known exploits reduces immediate risk, but the lack of patches means the vulnerability remains a potential vector for insider threats or malware that operates locally. Overall, the impact is moderate and primarily affects availability rather than confidentiality or integrity.

To mitigate CVE-2024-28565, organizations should first identify and inventory all software components and applications that use FreeImage version 3.19.0 or earlier. Until an official patch is released, restrict local user permissions to limit the ability to execute or open untrusted PSD files, especially from unknown or unverified sources. Implement application whitelisting and endpoint protection to detect and prevent execution of suspicious files. Consider sandboxing or isolating image processing tasks to contain potential crashes and prevent broader system impact. Monitor logs and system behavior for crashes related to PSD file processing to detect exploitation attempts. If possible, replace or upgrade FreeImage to a version that addresses this vulnerability once available. Additionally, educate users about the risks of opening PSD files from untrusted sources to reduce accidental exposure. For developers, review and harden image parsing code to validate input sizes and prevent buffer overflows. Employ fuzz testing and static analysis tools to detect similar vulnerabilities proactively.