CVE-2021-34055
Description
jhead 3.06 is vulnerable to Buffer Overflow via exif.c in function Put16u.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
7- jhead/jheaddescription
- Range: <=3.06
- osv-coords5 versionspkg:rpm/opensuse/jhead&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/jhead&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/jhead&distro=openSUSE%20Tumbleweedpkg:rpm/suse/jhead&distro=SUSE%20Package%20Hub%2015%20SP3pkg:rpm/suse/jhead&distro=SUSE%20Package%20Hub%2015%20SP4
< 3.00-bp153.3.6.1+ 4 more
- (no CPE)range: < 3.00-bp153.3.6.1
- (no CPE)range: < 3.06.0.1-bp154.2.6.1
- (no CPE)range: < 3.06.0.1-3.1
- (no CPE)range: < 3.00-bp153.3.6.1
- (no CPE)range: < 3.06.0.1-bp154.2.6.1
Patches
Vulnerability mechanics
Root cause
"Use-after-free in exif.c's Put16u function: freed heap memory is written after DiscardAllButExif deallocates the EXIF buffer."
Attack vector
An attacker supplies a crafted JPEG file (the PoC is named `jhead_poc`) that causes `jhead` to improperly handle EXIF data during the `-autorot` processing path. The malformed file triggers a heap-use-after-free because `DiscardAllButExif` in `jpgfile.c:540` frees a heap region while a pointer inside that region is later used for writing in `Put16u` via `ClearOrientation`. No authentication or special network access is required; the victim only needs to run `jhead -autorot` on the crafted file [ref_id=1].
Affected code
The vulnerability occurs in `Put16u` in `exif.c` and `ClearOrientation` in `exif.c:1248`, called from `DoAutoRotate` in `jhead.c:729` and `ProcessFile` in `jhead.c:879`. The heap-use-after-free stems from memory freed by `DiscardAllButExif` in `jpgfile.c:540` being subsequently written to.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies the bug as a heap-use-after-free in `Put16u` but does not provide a diff or fix commit. To remediate this vulnerability, the maintainers would need to ensure that memory freed by `DiscardAllButExif` is no longer referenced or that `ClearOrientation` (and similar callers) validate that the EXIF buffer remains valid before writing into it.
Preconditions
- inputVictim runs jhead with `-autorot` flag on a crafted JPEG file.
- inputThe crafted JPEG must trigger a memory-free operation in DiscardAllButExif before Put16u writes to the freed region.
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.debian.org/security/2022/dsa-5294mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2022/12/msg00004.htmlmitremailing-list
- github.com/Matthias-Wandel/jhead/issues/36mitre
News mentions
0No linked articles in our index yet.