CVE-2024-28577 identifies a null pointer dereference vulnerability in FreeImage version 3.19.0, an open source image processing library widely used for handling various image formats including JPEG. The vulnerability resides in the jpeg_read_exif_profile_raw() function, which processes EXIF metadata embedded in JPEG images. When this function encounters specially crafted JPEG files, it may dereference a null pointer, causing the application to crash and leading to a denial of service (DoS) condition. The flaw requires local attacker privileges (low) and does not require user interaction, meaning an attacker with access to the system can trigger the crash by processing a malicious JPEG image. The vulnerability affects availability only, with no impact on confidentiality or integrity. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms the medium severity rating. No patches or fixes have been released at the time of publication, and no active exploitation has been reported. The vulnerability is classified under CWE-476 (NULL Pointer Dereference), a common software flaw that can cause application instability or crashes. Given FreeImage's usage in various software products and embedded systems, this vulnerability could disrupt services or applications relying on image processing capabilities.

The primary impact of CVE-2024-28577 is denial of service, which can disrupt applications or services that utilize FreeImage for JPEG image processing. This can lead to application crashes, potentially affecting user experience, system stability, and availability of dependent services. Although the vulnerability requires local access, it could be leveraged in multi-user environments or systems where untrusted users have limited access, such as shared workstations or development environments. The lack of confidentiality or integrity impact limits the risk to data breaches or unauthorized modifications. However, repeated exploitation could cause operational interruptions, impacting business continuity. Organizations embedding FreeImage in critical systems or software products may face increased risk of service outages until a patch is applied. The absence of known exploits reduces immediate threat but does not eliminate future risk, especially as the vulnerability is publicly disclosed.

To mitigate CVE-2024-28577, organizations should first monitor FreeImage project communications for official patches or updates addressing this vulnerability and apply them promptly once available. Until patches are released, restrict local access to systems running vulnerable FreeImage versions to trusted users only, minimizing the risk of local exploitation. Implement input validation and sanitization where possible to detect and block malformed JPEG files before processing. Consider using alternative image processing libraries that are not affected by this vulnerability if immediate patching is not feasible. For software developers, review and harden the image processing code to handle null pointers gracefully and avoid crashes. Employ application-level sandboxing or containerization to limit the impact of potential crashes. Additionally, maintain robust logging and monitoring to detect unusual application crashes or denial of service symptoms related to image processing activities.