Libtiff: null pointer dereference in tif_dirinfo.c

CVE-2024-7006

7.5HIGH

Key Information

Vendor: Red Hat
Status: Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9.2 Extended Update Support; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7
Vendor: CVE Published:; 12 August 2024

Summary

A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.

Affected Version(s)

Red Hat Enterprise Linux 8 <= 0:4.0.9-33.el8_10

Red Hat Enterprise Linux 9.2 Extended Update Support <= 0:4.4.0-8.el9_2.1

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Aug 12, 2024
Risk change from: null to: 6.2 - (MEDIUM)
Aug 9, 2024
Reported to Red Hat.
Aug 5, 2024
Vulnerability Reserved.
Jul 23, 2024

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Xu Chang (N/A) for reporting this issue.