CVE-2022-3598
Description
LibTIFF 4.4.0 has an out-of-bounds write in extractContigSamplesShifted24bits in tools/tiffcrop.c:3604, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit cfbb883b.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
39- osv-coords37 versionspkg:rpm/almalinux/libtiffpkg:rpm/almalinux/libtiff-develpkg:rpm/almalinux/libtiff-toolspkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%20Micro%205.2pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/tiff&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tiff&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/tiff&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/tiff&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/tiff&distro=SUSE%20Manager%20Server%204.1
< 4.4.0-7.el9+ 36 more
- (no CPE)range: < 4.4.0-7.el9
- (no CPE)range: < 4.4.0-7.el9
- (no CPE)range: < 4.4.0-7.el9
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.4.0-5.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-44.62.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-44.62.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-44.62.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
- (no CPE)range: < 4.0.9-150000.45.22.1
Patches
Vulnerability mechanics
Root cause
"Insufficient buffer allocation in tiffcrop subroutines — several internal buffers were allocated without the extra 3 bytes needed by functions like extractContigSamplesShifted24bits, leading to an out-of-bounds write when processing crafted TIFF files."
Attack vector
An attacker supplies a crafted TIFF file that triggers the extractContigSamplesShifted24bits function (tools/tiffcrop.c:3604) during tiffcrop processing. Because the internal buffers were allocated without the required 3-byte oversize margin, the function writes beyond the allocated buffer boundary. The precondition is that the victim runs tiffcrop on the malicious file; no authentication or special network access is needed beyond file delivery. The out-of-bounds write can cause a crash (denial-of-service) [ref_id=1].
Affected code
The vulnerable code is in `tools/tiffcrop.c`, specifically the `extractContigSamplesShifted24bits` function at line 3604. The root cause is that multiple internal buffers (e.g., in `readContigTilesIntoBuffer`, `readSeparateTilesIntoBuffer`, `writeBufferToSeparateStrips`, `writeBufferToContigTiles`, `writeBufferToSeparateTiles`, and `readSeparateStripsIntoBuffer`) were allocated without the necessary 3-byte oversize margin required by these extraction subroutines [ref_id=1].
What the fix does
The commit [ref_id=1] introduces a `NUM_BUFF_OVERSIZE_BYTES` constant (value 3) and a compile-time assertion (`assert(NUM_BUFF_OVERSIZE_BYTES >= 3)`) to guarantee the extra padding. Every allocation site that previously used a hardcoded `+3` or no padding is updated to `+ NUM_BUFF_OVERSIZE_BYTES`, and `memset` calls are widened accordingly. This ensures that subroutines such as extractContigSamplesShifted24bits, extractContigSamples32bits, and similar functions always have the 3-byte headroom they require, closing the out-of-bounds write.
Preconditions
- inputAttacker must supply a crafted TIFF file that triggers the extractContigSamplesShifted24bits code path.
- networkThe victim must process the malicious file using tiffcrop (e.g., via a service that accepts TIFF uploads).
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.debian.org/debian-lts-announce/2023/01/msg00018.htmlmitremailing-list
- gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3598.jsonmitre
- gitlab.com/libtiff/libtiff/-/commit/cfbb883bf6ea7bedcb04177cc4e52d304522fdffmitre
- gitlab.com/libtiff/libtiff/-/issues/435mitre
- security.netapp.com/advisory/ntap-20230110-0001/mitre
News mentions
0No linked articles in our index yet.