Description
A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations, potentially causing a denial of service (application crash) or arbitrary code execution.
Problem types
Integer Overflow or Wraparound
Product status
0:4.6.0-6.el10_1.3 (rpm) before *
0:4.6.0-8.el10_2.1 (rpm) before *
0:4.6.0-6.el10_0.3 (rpm) before *
0:3.9.4-12.el7_9.2 (rpm) before *
0:4.0.3-35.el7_9.2 (rpm) before *
0:4.0.9-37.el8_10 (rpm) before *
0:3.9.4-15.el8_10 (rpm) before *
0:4.0.9-4.el8_10 (rpm) before *
0:4.0.9-18.el8_4.2 (rpm) before *
0:3.9.4-13.el8_4.2 (rpm) before *
0:4.0.9-18.el8_4.2 (rpm) before *
0:3.9.4-13.el8_4.2 (rpm) before *
0:4.0.9-21.el8_6.2 (rpm) before *
0:3.9.4-13.el8_6.2 (rpm) before *
0:4.0.9-21.el8_6.2 (rpm) before *
0:3.9.4-13.el8_6.2 (rpm) before *
0:4.0.9-21.el8_6.2 (rpm) before *
0:3.9.4-13.el8_6.2 (rpm) before *
0:4.0.9-29.el8_8.2 (rpm) before *
0:3.9.4-13.el8_8.2 (rpm) before *
0:4.0.9-29.el8_8.2 (rpm) before *
0:3.9.4-13.el8_8.2 (rpm) before *
0:4.4.0-15.el9_7.3 (rpm) before *
0:4.4.0-18.el9_8 (rpm) before *
0:4.2.0-3.el9_0.3 (rpm) before *
0:4.4.0-8.el9_2.5 (rpm) before *
0:4.4.0-12.el9_4.5 (rpm) before *
0:4.4.0-13.el9_6.4 (rpm) before *
1780681984 (rpm) before *
Timeline
| 2026-03-24: | Reported to Red Hat. |
| 2026-03-24: | Made public. |
Credits
Red Hat would like to thank PrymEvol and Quang Luong for reporting this issue.
References
lists.debian.org/debian-lts-announce/2026/04/msg00016.html
access.redhat.com/errata/RHSA-2026:12265 (RHSA-2026:12265)
access.redhat.com/errata/RHSA-2026:12271 (RHSA-2026:12271)
access.redhat.com/errata/RHSA-2026:14929 (RHSA-2026:14929)
access.redhat.com/errata/RHSA-2026:16055 (RHSA-2026:16055)
access.redhat.com/errata/RHSA-2026:19150 (RHSA-2026:19150)
access.redhat.com/errata/RHSA-2026:19363 (RHSA-2026:19363)
access.redhat.com/errata/RHSA-2026:19585 (RHSA-2026:19585)
access.redhat.com/errata/RHSA-2026:19586 (RHSA-2026:19586)
access.redhat.com/errata/RHSA-2026:19604 (RHSA-2026:19604)
access.redhat.com/errata/RHSA-2026:19608 (RHSA-2026:19608)
access.redhat.com/errata/RHSA-2026:19609 (RHSA-2026:19609)
access.redhat.com/errata/RHSA-2026:19657 (RHSA-2026:19657)
access.redhat.com/errata/RHSA-2026:19659 (RHSA-2026:19659)
access.redhat.com/errata/RHSA-2026:19702 (RHSA-2026:19702)
access.redhat.com/errata/RHSA-2026:20583 (RHSA-2026:20583)
access.redhat.com/errata/RHSA-2026:20585 (RHSA-2026:20585)
access.redhat.com/errata/RHSA-2026:20591 (RHSA-2026:20591)
access.redhat.com/errata/RHSA-2026:20592 (RHSA-2026:20592)
access.redhat.com/errata/RHSA-2026:24992 (RHSA-2026:24992)
access.redhat.com/errata/RHSA-2026:25096 (RHSA-2026:25096)
access.redhat.com/errata/RHSA-2026:25910 (RHSA-2026:25910)
access.redhat.com/security/cve/CVE-2026-4775
bugzilla.redhat.com/show_bug.cgi?id=2450768 (RHBZ#2450768)