Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
XnSoft NConvert 7.230 is vulnerable to Use-After-Free via a crafted .tiff file
AnalysisAI
XnSoft NConvert version 7.230 contains a Use-After-Free vulnerability triggered by processing specially crafted TIFF files, which can lead to information disclosure and potential code execution. The vulnerability affects NConvert image conversion software and has been publicly documented with proof-of-concept code available on GitHub. An attacker can exploit this by providing a malicious TIFF file to an NConvert user or service, potentially causing a crash or unauthorized memory access.
Technical ContextAI
The vulnerability is a Use-After-Free (UAF) flaw classified under CWE category, occurring in NConvert's TIFF file parsing routines. TIFF (Tagged Image File Format) is a complex image format with multiple compression schemes and metadata structures that can trigger memory management issues in image processing libraries. NConvert, developed by XnSoft and identified via CPE references, processes image files through buffer operations that fail to properly validate or manage memory lifecycles when encountering malformed TIFF headers or data structures. The UAF occurs when the application attempts to access memory that has already been freed, a condition commonly triggered by edge cases in image format parsing where resource cleanup occurs prematurely or multiple code paths reference the same memory region.
RemediationAI
Immediately upgrade NConvert to a patched version released by XnSoft after version 7.230; check https://www.xnview.com/en/nconvert/ for the latest release and security advisories. Until patching is feasible, implement input validation by rejecting or sandboxing TIFF files from untrusted sources, restricting NConvert to processing only known-safe image formats, and running the application with minimal privileges in isolated environments (containers or separate user accounts). For automated systems, disable TIFF processing if not essential, validate TIFF file integrity using external tools before passing to NConvert, and consider using alternative image processing libraries that have undergone more recent security reviews. Monitor for vendor updates and apply them promptly.
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14469