CVE-2024-28566 identifies a buffer overflow vulnerability in the FreeImage open-source library, specifically version 3.19.0 [r1909]. The flaw exists within the AssignPixel() function, which is responsible for assigning pixel data when reading TIFF format images. A buffer overflow occurs when the function improperly handles image data, allowing an attacker with local access to craft malicious TIFF files that trigger arbitrary code execution. This vulnerability does not require privileges or user interaction, increasing its risk profile. The vulnerability is classified under CWE-121 (Stack-based Buffer Overflow), indicating that the overflow can overwrite critical memory areas, potentially leading to control flow hijacking. The CVSS 3.1 base score is 8.4, reflecting high impact on confidentiality, integrity, and availability. Although no patches or exploits are currently documented, the vulnerability demands urgent attention due to the widespread use of FreeImage in image processing applications across various industries. The lack of known exploits suggests it is either newly discovered or not yet weaponized, but the ease of exploitation through crafted TIFF files makes it a significant threat vector for local attackers.

The vulnerability allows local attackers to execute arbitrary code, which can lead to full system compromise depending on the privileges of the affected process. This impacts confidentiality by potentially exposing sensitive data, integrity by allowing unauthorized code execution or modification, and availability by causing crashes or denial of service. Organizations using FreeImage in desktop applications, image processing tools, or embedded systems that handle TIFF images are at risk. The local attack vector means that attackers must have some form of access to the system, but no privileges or user interaction are required, lowering the barrier for exploitation. This could facilitate privilege escalation or lateral movement within networks. Industries such as digital forensics, medical imaging, publishing, and any sector relying on TIFF image processing are particularly vulnerable. The absence of known exploits reduces immediate risk but does not diminish the urgency for mitigation, as proof-of-concept exploits could emerge rapidly.

1. Immediately audit all systems and applications using FreeImage version 3.19.0 [r1909] for TIFF image processing capabilities. 2. Restrict local access to systems where FreeImage is deployed, limiting the ability of untrusted users to supply TIFF files. 3. Implement strict input validation and sanitization for all TIFF images processed by applications using FreeImage to detect malformed or suspicious files. 4. Monitor system logs and application behavior for anomalies related to image processing, such as crashes or unexpected memory usage. 5. Where possible, isolate image processing components in sandboxed or containerized environments to limit the impact of potential exploitation. 6. Engage with FreeImage maintainers or community to track the release of patches or updated versions addressing this vulnerability and apply them promptly. 7. Consider alternative libraries or tools for TIFF processing if immediate patching is not feasible. 8. Educate local users and administrators about the risks of opening untrusted TIFF files on affected systems.