CVE-2024-28570 identifies a buffer overflow vulnerability in the FreeImage open source library, specifically version 3.19.0 [r1909]. The flaw resides in the processMakerNote() function, which is responsible for handling the MakerNote metadata in JPEG images. When processing crafted JPEG files, this function improperly manages memory buffers, leading to an overflow condition. This vulnerability can be exploited by a local attacker with limited privileges to cause a denial of service by crashing the application that uses FreeImage for image processing. The vulnerability is classified under CWE-120 (Classic Buffer Overflow). According to the CVSS 3.1 vector, the attack requires local access (AV:L), low attack complexity (AC:L), and low privileges (PR:L), with no user interaction (UI:N) needed. The impact is limited to availability (A:H), with no confidentiality or integrity impact. No public exploits or patches are currently known or available. The vulnerability affects software that integrates FreeImage 3.19.0 for JPEG image handling, which may include desktop applications, image processing tools, or other software relying on this library for local image decoding.

The primary impact of CVE-2024-28570 is denial of service due to application crashes when processing malicious JPEG images. This can disrupt workflows that rely on FreeImage for image decoding, potentially causing application instability or downtime. Since exploitation requires local access and low privileges, the threat is mainly to environments where untrusted users have local system access or where image files are processed automatically from local sources. There is no direct risk to confidentiality or data integrity, but availability interruptions could affect productivity and system reliability. Organizations using FreeImage in desktop or embedded applications may experience service interruptions or require restarts after crashes. The lack of remote exploitation reduces the risk of widespread attacks but does not eliminate the threat in multi-user or shared environments.

To mitigate this vulnerability, organizations should restrict local access to systems running FreeImage 3.19.0, ensuring only trusted users can process images locally. Implement strict input validation and sanitization for JPEG files before processing to detect and block malformed images targeting the MakerNote metadata. Monitor application logs for crashes related to image processing and isolate affected systems promptly. Where possible, run image processing components with least privilege and in sandboxed environments to limit the impact of crashes. Stay informed about updates from the FreeImage project and apply patches or upgrade to fixed versions as soon as they become available. If patching is delayed, consider replacing FreeImage with alternative libraries that do not exhibit this vulnerability. Additionally, conduct security reviews of software dependencies to identify and remediate similar risks proactively.