EUVD-2026-14901
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations, potentially causing a denial of service (application crash) or arbitrary code execution.
Analysis
A signed integer overflow vulnerability exists in the libtiff library's putcontig8bitYCbCr44tile function that leads to out-of-bounds heap writes through incorrect memory pointer calculations. Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10 are confirmed affected. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all RHEL 6, 7, 8, 9, and 10 systems and identify applications using libtiff; communicate vulnerability status to stakeholders. Within 7 days: Implement application-level restrictions on TIFF file uploads/processing where feasible; deploy network segmentation to limit lateral movement from compromised systems; disable TIFF processing in non-critical applications. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 4.2.0-1+deb11u5 | - |
| bullseye (security) | vulnerable | 4.2.0-1+deb11u7 | - |
| bookworm, bookworm (security) | vulnerable | 4.5.0-6+deb12u3 | - |
| trixie (security), trixie | vulnerable | 4.7.0-3+deb13u1 | - |
| forky, sid | vulnerable | 4.7.1-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today