Libtiff: out-of-memory in tiffopen via a craft file
Description
An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
11cpe:/o:redhat:enterprise_linux:6+ 3 more
- cpe:/o:redhat:enterprise_linux:6
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:9
- osv-coords6 versionspkg:apk/chainguard/tiffpkg:apk/chainguard/tiff-devpkg:apk/chainguard/tiff-docpkg:apk/wolfi/tiffpkg:apk/wolfi/tiff-devpkg:apk/wolfi/tiff-doc
< 4.6.0-r1+ 5 more
- (no CPE)range: < 4.6.0-r1
- (no CPE)range: < 4.6.0-r1
- (no CPE)range: < 4.6.0-r1
- (no CPE)range: < 4.6.0-r1
- (no CPE)range: < 4.6.0-r1
- (no CPE)range: < 4.6.0-r1
Patches
Vulnerability mechanics
Root cause
"Missing bounds validation in strip-array allocation allows attacker-controlled image dimensions to trigger an excessive memory allocation."
Attack vector
An attacker provides a crafted TIFF file smaller than 379 KB to the `TIFFOpen()` API [ref_id=1]. When libtiff reads the directory, `ChopUpSingleUncompressedStrip` attempts to allocate strip arrays based on attacker-controlled image dimensions, causing an unreasonably large memory allocation that exhausts available memory [ref_id=1]. No authentication or special privileges are required; the only precondition is that the victim application calls `TIFFOpen()` on the attacker-supplied file [ref_id=1].
Affected code
The out-of-memory occurs during `TIFFOpen()` in the call chain `TIFFReadDirectory` → `ChopUpSingleUncompressedStrip` → `allocChoppedUpStripArrays` [ref_id=1]. The ASAN trace shows the allocation originates in `tif_dirread.c` at `allocChoppedUpStripArrays` (line 7267) and `ChopUpSingleUncompressedStrip` (line 7381) [ref_id=1].
What the fix does
The advisory does not include a published patch or specific remediation code [ref_id=1]. The issue was reported against commit `4d0329a4539550f2396772b8c4c60c5fecdda7db` and the recommended fix would involve adding bounds checks in `ChopUpSingleUncompressedStrip` or `allocChoppedUpStripArrays` to validate that the computed allocation size does not exceed a reasonable limit before calling `_TIFFCheckMalloc` [ref_id=1].
Preconditions
- inputThe victim application must call TIFFOpen() on a file supplied by the attacker
- inputThe crafted TIFF file must be smaller than 379 KB
Reproduction
Download the PoC input from `https://github.com/PromptFuzz/crash_inputs/raw/main/libtiff/oom1/oom_input` [ref_id=1]. Compile the fuzzer harness with `clang++ -fsanitize=fuzzer,address -g -O0 -I/libtiff/include poc.cc -o poc.out libtiff.a -lz -ljpeg -llzma -ljbig` and run `./poc.out oom_input` to trigger the out-of-memory condition [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- access.redhat.com/security/cve/CVE-2023-6277mitrevdb-entryx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
- gitlab.com/libtiff/libtiff/-/issues/614mitre
- gitlab.com/libtiff/libtiff/-/merge_requests/545mitre
News mentions
0No linked articles in our index yet.