CVE-2022-34526
Description
A stack overflow was discovered in the _TIFFVGetField function of Tiffsplit v4.4.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted TIFF file parsed by the "tiffsplit" or "tiffcrop" utilities.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
41- Tiffsplit/Tiffsplitdescription
- osv-coords39 versionspkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%20Micro%205.2pkg:rpm/opensuse/tiff&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tiff&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/tiff&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/tiff&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/tiff&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/tiff&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/tiff&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 4.0.9-150000.45.16.1+ 38 more
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.4.0-3.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-44.56.1
- (no CPE)range: < 4.0.9-44.56.1
- (no CPE)range: < 4.0.9-44.56.1
- (no CPE)range: < 4.0.9-44.56.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-44.56.1
- (no CPE)range: < 4.0.9-44.56.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-44.56.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-150000.45.16.1
- (no CPE)range: < 4.0.9-44.56.1
- (no CPE)range: < 4.0.9-44.56.1
Patches
Vulnerability mechanics
Root cause
"Missing bounds checking in `_TIFFVGetField` allows writing past the end of a stack buffer when processing crafted TIFF tags."
Attack vector
An attacker provides a crafted TIFF file containing malformed or unexpected tags. When `tiffsplit` (or `tiffcrop`) parses this file, the `_TIFFVGetField` function writes beyond the bounds of a stack buffer, causing a stack-buffer-overflow (or global-buffer-overflow in the `tiffcrop` variant) [ref_id=1][ref_id=2]. The attack requires no authentication and is triggered simply by running the utility on the malicious file [ref_id=1].
Affected code
The stack overflow occurs in the `_TIFFVGetField` function within `libtiff/tif_dir.c` at line 1164 [ref_id=1]. The crash is triggered from `tiffsplit.c` line 260 (via `tiffcp`) and also from `tiffcrop` when processing a crafted TIFF file [ref_id=1][ref_id=2]. The second report notes a global-buffer-overflow variant in the same function when reached through `tiffcrop` [ref_id=2].
What the fix does
The advisory for ref_id=2 states that the issue was already patched in merge request !363, but notes that the `tiffcrop` attack vector was not mentioned in the original CVE-2022-34526 description [ref_id=2]. No patch diff is included in the bundle, so the exact code change cannot be described. The remediation guidance is to apply the existing patch from !363, which addresses the buffer overflow in `_TIFFVGetField` for both `tiffsplit` and `tiffcrop` [ref_id=2].
Preconditions
- inputAttacker must supply a crafted TIFF file that triggers the overflow.
- configThe victim must run either the tiffsplit or tiffcrop utility on the malicious file.
Reproduction
1. Download the PoC file from the linked repository (ref_id=1) or the poc.zip attached to ref_id=2. 2. Run `tiffsplit $POC` (ref_id=1) or `./tiffcrop -i poc.tif a.tif` (ref_id=2) on a vulnerable build of libtiff v4.4.0.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FC6LWPAEKYJ57LSHX4SBFMLRMLOZTHIJ/mitrevendor-advisory
- www.debian.org/security/2023/dsa-5333mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/01/msg00018.htmlmitremailing-list
- gitlab.com/libtiff/libtiff/-/issues/433mitre
- gitlab.com/libtiff/libtiff/-/issues/486mitre
- security.netapp.com/advisory/ntap-20220930-0002/mitre
News mentions
0No linked articles in our index yet.