CVE-2024-28568 identifies a buffer overflow vulnerability in the FreeImage open-source library version 3.19.0, specifically within the read_iptc_profile() function responsible for parsing IPTC metadata embedded in TIFF image files. The vulnerability arises from improper bounds checking when reading IPTC profiles, allowing a local attacker to overflow a buffer and cause the application to crash, resulting in a denial of service (DoS). This vulnerability is classified under CWE-121 (Stack-based Buffer Overflow). The attack vector is local (AV:L), requiring no privileges (PR:N) or user interaction (UI:N), and the scope remains unchanged (S:U). The CVSS v3.1 base score is 8.4, reflecting a high severity due to the ease of exploitation and the impact on availability. No known exploits are currently in the wild, and no patches have been published yet. The vulnerability affects software that integrates FreeImage 3.19.0 for image processing, particularly those handling TIFF images with IPTC metadata. Exploitation could lead to application crashes, potentially disrupting services or workflows relying on image processing. Since the vulnerability requires local access, attackers must have some foothold on the system to exploit it. This flaw does not compromise confidentiality or integrity but can cause denial of service conditions, which may be critical in environments where image processing is integral to operations.

The primary impact of CVE-2024-28568 is denial of service, which can disrupt applications or services relying on FreeImage for TIFF image processing. Organizations that use FreeImage in desktop applications, servers, or automated image processing pipelines may experience crashes, leading to downtime or degraded service availability. This can affect media companies, digital forensics, scientific research, and any sector relying on automated image handling. Since the vulnerability requires local access, the risk is higher in environments where multiple users have system access or where attackers can gain initial footholds through other means. Although confidentiality and integrity are not affected, the availability impact can lead to operational disruptions, loss of productivity, and potential financial losses. The lack of known exploits reduces immediate risk, but the high CVSS score indicates that once exploited, the impact could be significant. Organizations with critical image processing workloads should prioritize mitigation to avoid service interruptions.

1. Restrict local access to systems running FreeImage 3.19.0, ensuring only trusted users have login capabilities. 2. Monitor applications using FreeImage for unexpected crashes or abnormal behavior when processing TIFF images, especially those containing IPTC metadata. 3. Implement application-level sandboxing or process isolation to contain potential crashes and prevent cascading failures. 4. Employ intrusion detection systems to identify anomalous local activity that could indicate exploitation attempts. 5. Regularly review and update software dependencies; apply patches or upgrade FreeImage to a fixed version once available from the maintainers. 6. If immediate patching is not possible, consider disabling or restricting processing of TIFF images with IPTC profiles as a temporary workaround. 7. Conduct code audits or fuzz testing on image processing components to identify similar vulnerabilities proactively. 8. Educate system administrators and developers about the vulnerability and encourage secure coding and handling of untrusted image inputs.