CVE-2024-28571 identifies a buffer overflow vulnerability in the FreeImage open source library version 3.19.0 [r1909], specifically within the fill_input_buffer() function responsible for reading JPEG image data. This vulnerability arises due to improper bounds checking when processing JPEG input, leading to an out-of-bounds read or write (classified under CWE-125: Out-of-bounds Read). A local attacker with at least low-level privileges can exploit this flaw by supplying a crafted JPEG image to an application that uses FreeImage for image processing. The exploitation results in a denial of service (DoS) condition by crashing the application or causing memory corruption that halts normal operation. The vulnerability does not allow for privilege escalation, code execution, or data leakage, but it disrupts service availability. The attack vector is local (AV:L), requiring the attacker to have access to the system where FreeImage is used. No user interaction is necessary once local access is obtained. The vulnerability has a CVSS v3.1 base score of 5.5, indicating medium severity. No patches or fixes have been officially released at the time of publication, and there are no known exploits in the wild. This vulnerability is relevant for any software or systems that embed FreeImage 3.19.0 and process JPEG images locally, including desktop applications, image processing tools, and potentially embedded devices relying on this library.

The primary impact of CVE-2024-28571 is denial of service, which can disrupt availability of applications or services that rely on FreeImage for JPEG image processing. Organizations using FreeImage in critical image handling workflows may experience application crashes or service interruptions, potentially affecting productivity or user experience. Since exploitation requires local access, the risk is mitigated somewhat by the need for attacker presence on the system. However, in multi-user environments or shared systems, a low-privileged user could exploit this to disrupt other users or services. Embedded systems or devices that rely on FreeImage for image decoding could also be affected, possibly causing device instability. There is no direct impact on confidentiality or integrity, and no indication that remote exploitation or privilege escalation is possible. Overall, the threat is moderate but should be addressed to maintain system stability and prevent denial of service conditions.

To mitigate CVE-2024-28571, organizations should first identify all software and systems using FreeImage version 3.19.0 [r1909], especially those processing JPEG images locally. Until an official patch is released, consider the following specific actions: 1) Restrict local access to trusted users only, minimizing the risk of local exploitation. 2) Implement strict input validation and sanitization on JPEG files before they are processed by FreeImage, potentially using alternative image validation tools or libraries to filter out malformed images. 3) Monitor application logs and system stability for signs of crashes or abnormal behavior related to image processing. 4) Where feasible, isolate image processing components in sandboxed or containerized environments to limit the impact of a crash. 5) Stay updated with FreeImage project announcements and apply patches promptly once available. 6) Consider upgrading to a later, unaffected version of FreeImage if available or replacing FreeImage with alternative libraries that do not exhibit this vulnerability. 7) For embedded devices, coordinate with vendors for firmware updates addressing this issue.