CVE-2024-28567 identifies a buffer overflow vulnerability in the FreeImage open source library, version 3.19.0 [r1909]. The vulnerability exists in the FreeImage_CreateICCProfile() function, which is responsible for creating ICC color profiles when reading TIFF image files. A buffer overflow occurs when the function improperly handles input data, leading to memory corruption. This flaw can be exploited by a local attacker who has access to the system to cause a denial of service (DoS) by crashing the application or process using FreeImage. The vulnerability does not require privileges beyond local access, nor does it require user interaction, making it easier to trigger if local access is obtained. However, it does not allow for code execution or data compromise, as it only impacts availability. The CVSS v3.1 score is 6.2, reflecting a medium severity level due to the local attack vector, low complexity, no privileges required, and no user interaction needed. No patches or exploits are currently publicly available, but the vulnerability is documented and published in the CVE database. The weakness is classified under CWE-121, indicating a classic stack-based buffer overflow issue. This vulnerability is relevant for any software or systems that incorporate FreeImage 3.19.0 for TIFF image processing, particularly in environments where local users might attempt to disrupt service.

The primary impact of CVE-2024-28567 is denial of service, which can disrupt applications or services relying on FreeImage for TIFF image processing. This could affect desktop applications, image processing pipelines, or multimedia software that utilize this library. While the vulnerability does not allow for data theft or system compromise, the DoS can lead to service interruptions, reduced availability, and potential operational downtime. Organizations that rely on automated image processing or have multi-user environments where local users have access could see degraded service reliability. The impact is limited by the requirement for local access, so remote exploitation is not feasible without prior compromise. There is no indication of exploitation in the wild, reducing immediate risk, but the vulnerability could be leveraged in targeted attacks or insider threat scenarios. Overall, the impact is moderate but should not be ignored in environments where FreeImage is a critical component.

To mitigate CVE-2024-28567, organizations should first verify if they are using FreeImage version 3.19.0 or earlier in their software stack, especially for TIFF image handling. Since no official patch is currently available, consider the following steps: 1) Restrict local access to systems running vulnerable FreeImage versions to trusted users only, minimizing the risk of local exploitation. 2) Implement application-level input validation or sandboxing to limit the impact of malformed TIFF files. 3) Monitor and audit local user activities to detect unusual attempts to process TIFF images that could trigger the vulnerability. 4) If possible, upgrade to a newer version of FreeImage once a patch is released or apply vendor-provided fixes promptly. 5) For developers, review and harden the FreeImage_CreateICCProfile() function to ensure proper bounds checking and memory management. 6) Employ system-level protections such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to reduce exploitation success. 7) Consider isolating image processing tasks in containers or virtual machines to contain potential crashes. These targeted mitigations go beyond generic advice by focusing on access control, monitoring, and architectural isolation.