CVE-2024-9029 Overview
CVE-2024-9029 is a buffer over-read vulnerability in the FreeImage library, an open-source image decoding library used by many desktop and server applications. The flaw resides in the read_iptc_profile function within Source/Metadata/IPTC.cpp. The function fails to sanitize the size of the IPTC profile before reading it, leading to a one-byte out-of-bounds read when processing a crafted image. Applications linked against FreeImage crash when parsing the malicious file, resulting in denial of service. The vulnerability is network-reachable through any workflow that accepts attacker-supplied images.
Critical Impact
Remote attackers can crash any application using FreeImage by supplying a crafted image, causing denial of service in image processing pipelines and document workflows.
Affected Products
- FreeImage library (all versions, no fixed release identified upstream)
- Applications statically or dynamically linked against freeimage_project:freeimage
- Downstream distributions packaging FreeImage as a system library
Discovery Timeline
- 2024-09-27 - CVE-2024-9029 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in the NVD database
Technical Details for CVE-2024-9029
Vulnerability Analysis
The defect is a one-byte buffer over-read [CWE-126] in the IPTC metadata parser. FreeImage exposes the read_iptc_profile routine to decode embedded IPTC application records inside image containers such as JPEG, TIFF, and PSD. The parser trusts the profile length stored in the file header and uses it to drive read operations across the in-memory buffer. When a crafted image declares a profile size that exceeds the actual buffer, the parser reads one byte past the allocated region. The over-read corrupts parser state or triggers a memory access fault, causing the host process to terminate.
Root Cause
The root cause is missing bounds validation on attacker-controlled length metadata. The read_iptc_profile function in Source/Metadata/IPTC.cpp does not verify that the declared profile size fits within the remaining input buffer before iterating across the profile bytes. Input validation must occur before the size value is used as a loop bound or pointer offset.
Attack Vector
An attacker delivers a crafted image to any service or client that calls into FreeImage for metadata extraction. Typical delivery channels include web upload endpoints, email attachments, document conversion pipelines, and thumbnail generators. No authentication or user interaction is required beyond submitting the file. The impact is limited to availability; the over-read does not disclose secrets or grant code execution under documented conditions. Technical details are tracked in the Red Hat Bug Report #2313704 and the SourceForge Bug Report #351.
Detection Methods for CVE-2024-9029
Indicators of Compromise
- Repeated crashes or segmentation faults in processes that load libfreeimage.so or FreeImage.dll
- Core dumps showing the faulting frame inside read_iptc_profile or Source/Metadata/IPTC.cpp
- Image upload requests followed by service restarts or worker recycling in web application logs
Detection Strategies
- Inspect crash telemetry for stack frames referencing FreeImage IPTC parsing routines.
- Apply file-format scanners that flag malformed IPTC application record lengths in JPEG, TIFF, and PSD inputs.
- Correlate image upload events with downstream process termination events on image-processing workers.
Monitoring Recommendations
- Forward application crash logs and core dump metadata to a centralized analytics platform for stack-frame analysis.
- Monitor image conversion services for elevated 5xx error rates following uploads of small or unusual image files.
- Track binary inventory for components linking against FreeImage to scope exposure across the estate.
How to Mitigate CVE-2024-9029
Immediate Actions Required
- Inventory all applications and container images that bundle or link against FreeImage.
- Restrict image upload endpoints to authenticated users and enforce strict file-type allowlists.
- Sandbox image parsing in a separate process or container so a crash does not terminate the parent service.
Patch Information
No official upstream patch release has been published in the referenced advisories. Track the SourceForge Bug Report #351 and downstream distribution updates such as the Red Hat Bug Report #2313704 for fixed package versions. Apply distribution updates as soon as backported fixes become available.
Workarounds
- Disable IPTC metadata extraction in calling applications where the API permits, bypassing the vulnerable code path.
- Pre-validate uploaded images with a hardened parser, such as ImageMagick with policy restrictions, before handing them to FreeImage.
- Run image-processing workers under a supervisor that automatically restarts crashed processes to reduce service disruption.
# Example: isolate FreeImage workloads with systemd hardening
[Service]
ExecStart=/usr/local/bin/image-worker
Restart=on-failure
RestartSec=2
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
MemoryDenyWriteExecute=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

