Heap-Based Use After Free in LibTIFF Affects Multiple Versions
CVE-2023-26965

5.5MEDIUM

Key Information:

Vendor: Libtiff
Status: Libtiff
Vendor: CVE Published:; 14 June 2023

What is CVE-2023-26965?

The loadImage() function in the LibTIFF library, specifically in tools/tiffcrop.c, has a vulnerability that allows for a heap-based use after free condition. This issue arises when processing crafted TIFF images, potentially leading to memory corruption and unforeseen behavior in applications utilizing the library. Users of affected versions should apply necessary patches or updates to mitigate risks associated with this vulnerability.

References

https://gitlab.com/libtiff/libtiff/-/merge_requests/472

https://security.netapp.com/advisory/ntap-20230706-0009/

https://lists.debian.org/debian-lts-announce/2023/07/msg0...

mailing-list

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 14, 2023
Vulnerability Reserved
Feb 27, 2023

Libtiff

What is CVE-2023-26965?

References

CVSS V3.1

Timeline