Skip to main content

CVE-2026-30007

| EUVDEUVD-2026-14469 MEDIUM
Use After Free (CWE-416)
2026-03-23 mitre
6.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 23, 2026 - 17:00 euvd
EUVD-2026-14469
Analysis Generated
Mar 23, 2026 - 17:00 vuln.today
CVE Published
Mar 23, 2026 - 00:00 nvd
MEDIUM 6.2

DescriptionCVE.org

XnSoft NConvert 7.230 is vulnerable to Use-After-Free via a crafted .tiff file

AnalysisAI

XnSoft NConvert version 7.230 contains a Use-After-Free vulnerability triggered by processing specially crafted TIFF files, which can lead to information disclosure and potential code execution. The vulnerability affects NConvert image conversion software and has been publicly documented with proof-of-concept code available on GitHub. An attacker can exploit this by providing a malicious TIFF file to an NConvert user or service, potentially causing a crash or unauthorized memory access.

Technical ContextAI

The vulnerability is a Use-After-Free (UAF) flaw classified under CWE category, occurring in NConvert's TIFF file parsing routines. TIFF (Tagged Image File Format) is a complex image format with multiple compression schemes and metadata structures that can trigger memory management issues in image processing libraries. NConvert, developed by XnSoft and identified via CPE references, processes image files through buffer operations that fail to properly validate or manage memory lifecycles when encountering malformed TIFF headers or data structures. The UAF occurs when the application attempts to access memory that has already been freed, a condition commonly triggered by edge cases in image format parsing where resource cleanup occurs prematurely or multiple code paths reference the same memory region.

RemediationAI

Immediately upgrade NConvert to a patched version released by XnSoft after version 7.230; check https://www.xnview.com/en/nconvert/ for the latest release and security advisories. Until patching is feasible, implement input validation by rejecting or sandboxing TIFF files from untrusted sources, restricting NConvert to processing only known-safe image formats, and running the application with minimal privileges in isolated environments (containers or separate user accounts). For automated systems, disable TIFF processing if not essential, validate TIFF file integrity using external tools before passing to NConvert, and consider using alternative image processing libraries that have undergone more recent security reviews. Monitor for vendor updates and apply them promptly.

Share

CVE-2026-30007 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy