LibTIFF tif_getimage.c TIFFReadRGBATileExt integer overflow
Description
A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
45- osv-coords43 versionspkg:rpm/almalinux/libtiffpkg:rpm/almalinux/libtiff-develpkg:rpm/almalinux/libtiff-toolspkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%20Micro%205.2pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/tiff&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tiff&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/tiff&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/tiff&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/tiff&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/tiff&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/tiff&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 4.4.0-7.el9+ 42 more
- (no CPE)range: < 4.4.0-7.el9
- (no CPE)range: < 4.4.0-7.el9
- (no CPE)range: < 4.4.0-7.el9
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.4.0-5.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-44.59.1
- (no CPE)range: < 4.0.9-44.59.1
- (no CPE)range: < 4.0.9-44.59.1
- (no CPE)range: < 4.0.9-44.59.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-44.59.1
- (no CPE)range: < 4.0.9-44.59.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-44.59.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-150000.45.19.1
- (no CPE)range: < 4.0.9-44.59.1
- (no CPE)range: < 4.0.9-44.59.1
- unspecified/LibTIFFv5Range: n/a
Patches
Vulnerability mechanics
Root cause
"An integer overflow occurs in TIFFReadRGBATileExt when processing strips or tiles larger than 2 GB."
Attack vector
The vulnerability can be triggered remotely by an attacker who crafts a malicious TIFF file. When this file is processed by the vulnerable function, the integer overflow can lead to unexpected behavior. The exact nature of the payload and how it exploits the overflow is not detailed, but it is known that the exploit has been publicly disclosed and may be used [ref_id=1].
Affected code
The vulnerability resides in the `TIFFReadRGBATileExt` function, located in the file `libtiff/tif_getimage.c`. The specific lines affected involve calculations related to `tile_ysize` and `read_ysize`, where the original code was susceptible to integer overflow when these values were large [ref_id=1].
What the fix does
The patch addresses the integer overflow by casting the relevant variables to `size_t` before performing calculations. This ensures that calculations involving potentially large strip or tile sizes, especially those exceeding 2 GB, are handled correctly without overflowing. The change in `libtiff/tif_getimage.c` prevents the integer overflow that could otherwise lead to memory corruption or other vulnerabilities [ref_id=1].
Preconditions
- inputThe attacker must provide a specially crafted TIFF file.
- networkThe vulnerability can be exploited remotely.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- lists.debian.org/debian-lts-announce/2023/01/msg00018.htmlmitremailing-list
- bugs.chromium.org/p/oss-fuzz/issues/detailmitre
- gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3bemitre
- oss-fuzz.com/downloadmitre
- security.netapp.com/advisory/ntap-20221215-0009/mitre
- support.apple.com/kb/HT213841mitre
- support.apple.com/kb/HT213843mitre
- vuldb.commitre
News mentions
0No linked articles in our index yet.