CVE-2022-0561
Description
Null source pointer passed as an argument to memcpy() function within TIFFFetchStripThing() in tif_dirread.c in libtiff versions from 3.9.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, the fix is available with commit eecb0712.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
44- osv-coords42 versionspkg:rpm/almalinux/libtiffpkg:rpm/almalinux/libtiff-develpkg:rpm/almalinux/libtiff-toolspkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%20Micro%205.2pkg:rpm/opensuse/tiff&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tiff&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/tiff&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/tiff&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/tiff&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/tiff&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/tiff&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 4.0.9-23.el8+ 41 more
- (no CPE)range: < 4.0.9-23.el8
- (no CPE)range: < 4.0.9-23.el8
- (no CPE)range: < 4.0.9-23.el8
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.3.0-2.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-44.56.1
- (no CPE)range: < 4.0.9-44.56.1
- (no CPE)range: < 4.0.9-44.56.1
- (no CPE)range: < 4.0.9-44.48.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-44.56.1
- (no CPE)range: < 4.0.9-44.48.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-44.48.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-150000.45.8.1
- (no CPE)range: < 4.0.9-44.56.1
- (no CPE)range: < 4.0.9-44.56.1
Patches
Vulnerability mechanics
Root cause
"Null pointer passed as the source argument to memcpy() in TIFFFetchStripThing()/TIFFReadDirectory when td_sampleinfo is uninitialized."
Attack vector
An attacker crafts a malicious TIFF image that triggers a code path in `TIFFReadDirectory` where `tif->tif_dir.td_sampleinfo` is null but the function still attempts to copy from it via `memcpy` [ref_id=1]. The attacker delivers the file to a victim who processes it with a libtiff-based tool (e.g., `tiffinfo -f lsb2msb -Dcdjrsz crash.tif`). The null-pointer dereference inside `memcpy` causes undefined behavior, typically resulting in a crash (Denial of Service) [ref_id=1]. No authentication or special network access is required beyond the ability to supply the crafted TIFF file.
Affected code
The vulnerability resides in `tif_dirread.c` within the `TIFFReadDirectory` function, specifically at line 4176 where `memcpy` is called. The call `memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, ...)` passes a null pointer as the second argument (`tif->tif_dir.td_sampleinfo`) when the `td_sampleinfo` field has not been properly initialized [ref_id=1].
What the fix does
The fix is available in commit `eecb0712`. The patch ensures that before the `memcpy` call at line 4176, the code checks whether `tif->tif_dir.td_sampleinfo` is non-null, or it allocates/initializes the pointer so that a null pointer is never passed to `memcpy`. This prevents the undefined behavior and crash that occurred when a crafted TIFF file caused `td_sampleinfo` to remain uninitialized while the code path still attempted to copy from it [ref_id=1].
Preconditions
- inputThe victim must process a crafted TIFF file using a libtiff-based tool (e.g., tiffinfo).
- configThe libtiff version must be between 3.9.0 and 4.3.0 (inclusive).
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZEHZ35XVO2VBZ4HHCMM6J6TQIDSBQOM/mitrevendor-advisory
- security.gentoo.org/glsa/202210-10mitrevendor-advisory
- www.debian.org/security/2022/dsa-5108mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2022/03/msg00001.htmlmitremailing-list
- gitlab.com/freedesktop-sdk/mirrors/gitlab/libtiff/libtiff/-/commit/eecb0712f4c3a5b449f70c57988260a667ddbdefmitre
- gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0561.jsonmitre
- gitlab.com/libtiff/libtiff/-/issues/362mitre
- security.netapp.com/advisory/ntap-20220318-0001/mitre
News mentions
0No linked articles in our index yet.