Vendor
LibTIFF
LibTIFF is a library for reading and writing Tag Image File Format files. The set also contains command line tools for processing TIFFs. It is distributed in source code and can be found as binary builds for all kinds of platforms. The LibTIFF software was originally written by Sam Leffler while working for Silicon Graphics.
Products
1
CVEs
155
Across products
1,044
Status
Private
Products
1- 1,044 CVEs
Recent CVEs
155| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2016-9540 | Cri | 0.64 | 9.8 | 0.00 | Nov 22, 2016 | tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile width versus image width. Reported as MSVR 35103, aka "cpStripToTile heap-buffer-overflow." | |
| CVE-2016-9539 | Cri | 0.64 | 9.8 | 0.00 | Nov 22, 2016 | tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in readContigTilesIntoBuffer(). Reported as MSVR 35092. | |
| CVE-2016-9538 | Cri | 0.64 | 9.8 | 0.00 | Nov 22, 2016 | tools/tiffcrop.c in libtiff 4.0.6 reads an undefined buffer in readContigStripsIntoBuffer() because of a uint16 integer overflow. Reported as MSVR 35100. | |
| CVE-2016-9537 | Cri | 0.64 | 9.8 | 0.00 | Nov 22, 2016 | tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in buffers. Reported as MSVR 35093, MSVR 35096, and MSVR 35097. | |
| CVE-2016-9536 | Cri | 0.64 | 9.8 | 0.00 | Nov 22, 2016 | tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip(). Reported as MSVR 35098, aka "t2p_process_jpeg_strip heap-buffer-overflow." | |
| CVE-2016-9535 | Cri | 0.64 | 9.8 | 0.01 | Nov 22, 2016 | tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow." | |
| CVE-2016-9534 | Cri | 0.64 | 9.8 | 0.00 | Nov 22, 2016 | tif_write.c in libtiff 4.0.6 has an issue in the error code path of TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members. Reported as MSVR 35095, aka "TIFFFlushData1 heap-buffer-overflow." | |
| CVE-2015-8668 | Cri | 0.64 | 9.8 | 0.07 | Jan 8, 2016 | Heap-based buffer overflow in the PackBitsPreEncode function in tif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier allows remote attackers to execute arbitrary code or cause a denial of service via a large width field in a BMP image. | |
| CVE-2015-7554 | Cri | 0.64 | 9.8 | 0.02 | Jan 8, 2016 | The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image. | |
| CVE-2017-17095 | Hig | 0.61 | 8.8 | 0.04 | Dec 2, 2017 | tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file. | |
| CVE-2025-9900 | Hig | 0.57 | 8.8 | 0.00 | Sep 23, 2025 | A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user. | |
| CVE-2017-17973 | Hig | 0.57 | 8.8 | 0.01 | Dec 29, 2017 | In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue | |
| CVE-2017-11335 | Hig | 0.57 | 8.8 | 0.01 | Jul 17, 2017 | There is a heap based buffer overflow in tools/tiff2pdf.c of LibTIFF 4.0.8 via a PlanarConfig=Contig image, which causes a more than one hundred bytes out-of-bounds write (related to the ZIPDecode function in tif_zip.c). A crafted input may lead to a remote denial of service attack or an arbitrary code execution attack. | |
| CVE-2017-9935 | Hig | 0.57 | 8.8 | 0.00 | Jun 26, 2017 | In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution. | |
| CVE-2017-5563 | Hig | 0.57 | 8.8 | 0.00 | Jan 23, 2017 | LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff. | |
| CVE-2017-5225 | Hig | 0.57 | 8.8 | 0.01 | Jan 12, 2017 | LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. | |
| CVE-2016-8331 | Hig | 0.53 | 8.1 | 0.06 | Oct 28, 2016 | An exploitable remote code execution vulnerability exists in the handling of TIFF images in LibTIFF version 4.0.6. A crafted TIFF document can lead to a type confusion vulnerability resulting in remote code execution. This vulnerability can be triggered via a TIFF file delivered to the application using LibTIFF's tag extension functionality. | |
| CVE-2017-10688 | Hig | 0.52 | 7.5 | 0.04 | Jun 29, 2017 | In LibTIFF 4.0.8, there is a assertion abort in the TIFFWriteDirectoryTagCheckedLong8Array function in tif_dirwrite.c. A crafted input will lead to a remote denial of service attack. | |
| CVE-2026-4775 | Hig | 0.51 | 7.8 | 0.00 | Mar 24, 2026 | A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations, potentially causing a denial of service (application crash) or arbitrary code execution. | |
| CVE-2017-7602 | Hig | 0.51 | 7.8 | 0.00 | Apr 9, 2017 | LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. |