CVE-2023-47994: 
Homebrew vulnerability analysis and mitigation

An integer overflow vulnerability was discovered in the LoadPixelDataRLE4 function within PluginBMP.cpp of FreeImage 3.18.0. The vulnerability was disclosed on January 9, 2024, affecting the FreeImage image processing library. This security flaw has been assigned CVE-2023-47994 and received a CVSS v3.1 base score of 8.8 (High) (NVD).

The vulnerability stems from an integer overflow condition in the LoadPixelDataRLE4 function when processing BMP images. The issue occurs during memory allocation where width and height parameters, both 4-byte unsigned integers, are multiplied to calculate buffer size. Since these values are user-controllable, crafting specific input values can trigger an integer overflow, resulting in a smaller-than-intended memory allocation (GitHub POC).

The exploitation of this vulnerability can lead to multiple severe consequences including sensitive information disclosure, denial of service conditions, and potential arbitrary code execution. The high CVSS score of 8.8 reflects the significant impact potential, with the vulnerability affecting confidentiality, integrity, and availability (NVD).

As of January 2024, no official patch has been released to address this vulnerability. Multiple Linux distributions including Ubuntu and Debian have marked this vulnerability as 'fix deferred' pending an upstream fix (Ubuntu Security, Debian Security).