CVE-2024-28574 identifies a buffer overflow vulnerability in the FreeImage open source library version 3.19.0, specifically within the function opj_j2k_copy_default_tcp_and_create_tcd(), which is involved in reading images in the JPEG 2000 (J2K) format. The vulnerability arises due to improper bounds checking or memory handling when copying or creating tile coding data structures, leading to a buffer overflow condition. This flaw can be triggered by a local attacker who supplies a specially crafted J2K image file to an application that uses FreeImage for image decoding. The overflow can cause the application to crash, resulting in a denial of service (DoS) condition. The vulnerability does not allow for code execution or data manipulation but disrupts service availability. The CVSS 3.1 base score of 6.2 reflects that the attack vector is local (AV:L), requires low attack complexity (AC:L), no privileges (PR:N), no user interaction (UI:N), and impacts only availability (A:H) without affecting confidentiality or integrity. No patches or fixes have been released yet, and no active exploitation has been reported. The vulnerability is classified under CWE-121 (Stack-based Buffer Overflow).

The primary impact of CVE-2024-28574 is denial of service, which can disrupt applications or services relying on FreeImage for processing JPEG 2000 images. This may affect software that handles image rendering, editing, or conversion, potentially causing crashes or service interruptions. While the vulnerability does not compromise data confidentiality or integrity, repeated crashes could degrade user experience, interrupt automated workflows, or cause system instability. Organizations that integrate FreeImage into their products or internal tools, especially those processing J2K images locally, face increased risk. The requirement for local access limits remote exploitation, reducing the threat surface. However, in environments where untrusted users have local access, such as shared workstations or multi-user systems, the risk is more pronounced. No known exploits in the wild currently reduce immediate risk, but the absence of patches means the vulnerability remains exploitable if discovered by attackers.

To mitigate CVE-2024-28574, organizations should first identify all applications and systems using FreeImage version 3.19.0 or earlier that process JPEG 2000 images. Until an official patch is released, consider the following measures: restrict local user access to trusted personnel only, especially on systems that process untrusted image files; implement application-level input validation to detect and block malformed J2K images; employ sandboxing or containerization to isolate image processing components and limit crash impact; monitor application logs for crashes or abnormal behavior related to image handling; and maintain up-to-date backups to recover from potential service disruptions. Additionally, track FreeImage project updates for patches addressing this vulnerability and apply them promptly once available. If feasible, consider temporarily disabling J2K image support or replacing FreeImage with alternative libraries that do not exhibit this vulnerability.