Libtiff: tiffrasterscanlinesize64 produce too-big size and could cause oom
Description
An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
8- osv-coords6 versionspkg:apk/chainguard/tiffpkg:apk/chainguard/tiff-devpkg:apk/chainguard/tiff-docpkg:apk/wolfi/tiffpkg:apk/wolfi/tiff-devpkg:apk/wolfi/tiff-doc
< 0+ 5 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
Patches
Vulnerability mechanics
Root cause
"Missing upper-bound validation in TIFFRasterScanlineSize64() allows attacker-controlled fields to produce an arbitrarily large scanline size, leading to memory exhaustion on allocation."
Attack vector
An attacker crafts a TIFF file with specially chosen values for `td->td_bitspersample` and `td->td_imagewidth` (offsets 0xC2-0xC3 and 0xAA-0xAB respectively) so that `TIFFRasterScanlineSize64()` computes an extremely large scanline size [ref_id=1]. When an application (such as the PoC program or `tiffcp`) calls `TIFFRasterScanlineSize()` and then allocates memory for that size, the allocation exhausts available memory, causing a denial of service [ref_id=1]. The crafted input can be smaller than 379 KB, making the attack easy to deliver remotely.
Affected code
The bug resides in `TIFFRasterScanlineSize64()` in libtiff. This function computes a scanline size by multiplying user-controlled fields `td->td_bitspersample` and `td->td_imagewidth` (and optionally `td->td_samplesperpixel`) without any upper-bound check [ref_id=1]. The caller `TIFFRasterScanlineSize()` returns this unchecked value, which is then used for memory allocation [ref_id=1].
What the fix does
The advisory does not include a patch; it reports the issue at commit 4d0329a4539550f2396772b8c4c60c5fecdda7db [ref_id=1]. The recommended remediation is to add an upper-bound check in `TIFFRasterScanlineSize64()` (or its caller) so that the computed scanline size cannot exceed a sane maximum before being used for allocation [ref_id=1]. Without such a check, any code path that allocates based on the return value of `TIFFRasterScanlineSize()` is vulnerable to OOM.
Preconditions
- inputThe target application must call TIFFRasterScanlineSize() or TIFFRasterScanlineSize64() and allocate memory based on the returned size.
- inputThe attacker must supply a crafted TIFF file with large td_bitspersample and td_imagewidth values.
Reproduction
1. Download the PoC input from https://github.com/PromptFuzz/crash_inputs/raw/main/libtiff/oom1/triger_input_41 [ref_id=1]. 2. Build libtiff with ASan. 3. Compile the PoC program: `clang++ -fsanitize=fuzzer,address -g -O0 -I/libtiff/include poc.cc -o poc.out libtiff.a -lz -ljpeg -llzma -ljbig` [ref_id=1]. 4. Run `./poc.out triger_input_41` to trigger the OOM [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- access.redhat.com/errata/RHSA-2025:20801mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2025:21994mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2025:23078mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2025:23079mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2025:23080mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:3461mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:3462mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/security/cve/CVE-2023-52355mitrevdb-entryx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
- gitlab.com/libtiff/libtiff/-/issues/621mitre
News mentions
0No linked articles in our index yet.