CVE-2024-28565 in FreeImageinfo

Summary

by MITRE • 03/20/2024

Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909] allows a local attacker to cause a denial of service (DoS) via the psdParser::ReadImageData() function when reading images in PSD format.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/13/2025

The buffer overflow vulnerability identified as CVE-2024-28565 affects the open source FreeImage library version 3.19.0 release r1909 and represents a critical security flaw that enables local attackers to execute denial of service attacks. This vulnerability specifically manifests within the psdParser::ReadImageData() function responsible for processing images in Photoshop Document format. The flaw occurs when the library attempts to read PSD image data without proper bounds checking, creating an opportunity for memory corruption that can be exploited to crash the application or system.

The technical implementation of this vulnerability stems from inadequate input validation within the PSD parser component of FreeImage. When processing maliciously crafted PSD files, the ReadImageData() function fails to properly validate the size parameters of image data blocks, allowing attackers to provide oversized data structures that exceed allocated buffer boundaries. This classic buffer overflow condition creates memory corruption that can lead to arbitrary code execution or system crashes depending on the execution context. The vulnerability is classified under CWE-121 as a stack-based buffer overflow, where insufficient bounds checking allows data to overwrite adjacent memory locations.

The operational impact of CVE-2024-28565 extends beyond simple denial of service scenarios, as it can be leveraged to cause system instability in applications that rely on FreeImage for image processing. Systems utilizing FreeImage for PSD file handling become vulnerable to exploitation, particularly those running on Windows platforms where the library is commonly deployed. Attackers can craft specially formatted PSD files that trigger the buffer overflow condition during normal image loading operations, potentially leading to application crashes, system hangs, or even privilege escalation in certain scenarios. The vulnerability affects any software that integrates FreeImage as a third-party image processing library, making it a widespread concern across multiple applications and systems.

Mitigation strategies for this vulnerability require immediate patching of the FreeImage library to version 3.19.1 or later, which contains the necessary fixes for the buffer overflow condition. System administrators should prioritize updating all applications that utilize FreeImage, particularly those handling user-supplied image files. Additional protective measures include implementing strict input validation for image file processing, deploying sandboxing mechanisms for image handling operations, and monitoring for异常 behavior in applications that process PSD files. Organizations should also consider implementing network segmentation and access controls to limit potential attack vectors, while following ATT&CK framework guidance for mitigating code execution vulnerabilities. The fix addresses the underlying CWE-121 issue through proper bounds checking and memory allocation validation, ensuring that image data processing operations remain within allocated buffer boundaries and preventing the overflow conditions that enable denial of service attacks.

Reservation

03/08/2024

Disclosure

03/20/2024

Moderation

accepted

CPE

ready

EPSS

0.00434

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!