CVE-2024-28572 identifies a buffer overflow vulnerability in the FreeImage open-source library, specifically version 3.19.0 [r1909]. The flaw exists in the FreeImage_SetTagValue() function, which is responsible for setting tag values when reading JPEG images. A buffer overflow occurs when this function improperly handles input data, leading to memory corruption. This vulnerability can be exploited by a local attacker who has access to the system to trigger a denial of service (DoS) condition by crashing the application using FreeImage. The vulnerability does not require privileges or user interaction, but the attacker must have local access to the affected system. The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow). The CVSS v3.1 score is 6.2, indicating a medium severity level primarily due to the local attack vector and lack of confidentiality or integrity impact. No public exploits or patches are currently available, and the vulnerability was published on March 20, 2024. FreeImage is widely used in multimedia applications, image processing tools, and software development environments, making this vulnerability relevant to organizations relying on this library for JPEG image handling.

The primary impact of CVE-2024-28572 is denial of service, which can disrupt applications or services that utilize FreeImage for JPEG image processing. This may lead to application crashes, potential service interruptions, and reduced availability of affected software. Since the vulnerability requires local access, remote exploitation is not feasible, limiting the attack surface. There is no impact on confidentiality or integrity, so data theft or manipulation is not a concern. However, in environments where FreeImage is embedded in critical multimedia or imaging software, repeated crashes could degrade user experience or interrupt workflows. Organizations relying on automated image processing pipelines or multimedia editing tools that incorporate FreeImage may face operational disruptions. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed proactively to prevent future exploitation.

To mitigate CVE-2024-28572, organizations should monitor for official patches or updates from the FreeImage project and apply them promptly once released. In the absence of patches, restricting local access to systems running FreeImage-based applications is critical to reduce the risk of exploitation. Employing application whitelisting and limiting user privileges can help prevent unauthorized local code execution. Additionally, sandboxing or containerizing applications that use FreeImage can contain potential crashes and minimize impact. Developers should review and update their use of FreeImage, potentially replacing or wrapping the vulnerable function with safer alternatives. Implementing robust input validation and fuzz testing on JPEG image inputs can help detect and prevent similar vulnerabilities. Regularly auditing software dependencies and maintaining an inventory of applications using FreeImage will aid in targeted mitigation efforts.