VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 15, 2018· Updated Aug 5, 2024

CVE-2017-18234

CVE-2017-18234

Description

Exempi before 2.4.3 has a use-after-free in TIFF handling when parsing PDF files with JPEG data, leading to denial of service or possibly arbitrary code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Exempi before 2.4.3 has a use-after-free in TIFF handling when parsing PDF files with JPEG data, leading to denial of service or possibly arbitrary code execution.

Vulnerability

Exempi versions prior to 2.4.3 contain a use-after-free vulnerability in the TIFF metadata reconciliation code. The flaw resides in XMPFiles/source/FormatSupport/ReconcileTIFF.cpp, TIFF_MemoryReader.cpp, and TIFF_Support.hpp. When processing a PDF file that embeds JPEG data, an invalid memcpy operation can trigger a use-after-free condition. The issue is reachable without special configuration; any application using Exempi to parse XMP metadata from PDF files is affected.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious PDF file containing specially crafted JPEG data. The victim must open the file with an application that uses Exempi to extract XMP metadata (e.g., a media library or image viewer). No authentication or special network position is required; the attack is remote if the file is delivered via email, web download, or other means. The exploitation sequence involves the application parsing the PDF, which triggers the flawed TIFF reconciliation code, leading to the use-after-free.

Impact

Successful exploitation results in a denial of service (application crash or hang) due to memory corruption. Additionally, the Ubuntu security advisory [2] notes that arbitrary code execution may be possible, depending on the memory layout and attacker control. The compromise occurs at the privilege level of the user running the application that uses Exempi.

Mitigation

The vulnerability is fixed in Exempi version 2.4.3 [1][2]. Red Hat Enterprise Linux and Ubuntu have released updated packages (e.g., RHSA-2019:2048 [1] and USN-3668-1 [2]). Users should upgrade to the patched version or apply the vendor-supplied updates. No workarounds are documented; the only mitigation is to update Exempi.

References
  1. https://access.redhat.com/errata/RHSA-2019:2048
  2. USN-3668-1: Exempi vulnerabilities | Ubuntu security notices | Ubuntu

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The library improperly handles JPEG data within PDF files, leading to a use-after-free vulnerability."

Attack vector

An attacker can craft a PDF file containing specially formatted JPEG data. When Exempi processes this malicious PDF file, it can trigger a use-after-free condition. This vulnerability can lead to a denial of service or potentially other unspecified impacts.

Affected code

The vulnerability is related to the processing of JPEG data within PDF files and impacts the following files: XMPFiles/source/FormatSupport/ReconcileTIFF.cpp, XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp, and XMPFiles/source/FormatSupport/TIFF_Support.hpp.

What the fix does

The advisory indicates that an update for exempi is available for Red Hat Enterprise Linux 7. This update addresses the use-after-free vulnerability. The exact code changes are not detailed in the provided advisory, but the update remediates the security issue.

Preconditions

  • inputA specially crafted PDF file containing JPEG data.

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.