CVE-2006-2026
published 2006-04-25CVE-2006-2026: Double free vulnerability in tif_jpeg.c in libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute…
PriorityP434medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
9.74%
94.9th percentile
Double free vulnerability in tif_jpeg.c in libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers errors related to "setfield/getfield methods in cleanup functions."
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | httpd | — | — |
| debian | tiff | < tiff 3.8.1 (bookworm) | tiff 3.8.1 (bookworm) |
| ensdomains | ens-contracts | 0 – 1.6.2 | — |
| libtiff | libtiff | <= 3.8.0 | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
CVSS provenance
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv6.5MEDIUM
vendor_redhat8.8HIGH
vendor_debian6.5MEDIUM
vendor_apache5.4LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code
vendor_redhat·2026-02-12·CVSS 8.8
CVE-2026-2006 [HIGH] CWE-1285 postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code
postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat P
Ubuntu
TIFF library vulnerabilities
vendor_ubuntu·2006-05-04
CVE-2006-2024 TIFF library vulnerabilities
Title: TIFF library vulnerabilities
Summary: TIFF library vulnerabilities
Tavis Ormandy and Andrey Kiselev discovered that libtiff did not
sufficiently verify the validity of TIFF files. By tricking an user
into opening a specially crafted TIFF file with any application that
uses libtiff, an attacker could exploit this to crash the application
or even execute arbitrary code with the application's privileges.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
security flaw
vendor_redhat·2006-03-03·CVSS 6.5
CVE-2006-2026 [MEDIUM] security flaw
security flaw
Double free vulnerability in tif_jpeg.c in libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers errors related to "setfield/getfield methods in cleanup functions."
Debian
CVE-2006-2026: tiff - Double free vulnerability in tif_jpeg.c in libtiff before 3.8.1 allows context-d...
vendor_debian·2006·CVSS 6.5
CVE-2006-2026 [MEDIUM] CVE-2006-2026: tiff - Double free vulnerability in tif_jpeg.c in libtiff before 3.8.1 allows context-d...
Double free vulnerability in tif_jpeg.c in libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers errors related to "setfield/getfield methods in cleanup functions."
Scope: local
bookworm: resolved (fixed in 3.8.1)
bullseye: resolved (fixed in 3.8.1)
forky: resolved (fixed in 3.8.1)
sid: resolved (fixed in 3.8.1)
trixie: resolved (fixed in 3.8.1)
Citrix
Citrix Security Bulletin CTX111695
vendor_citrix·CVSS 6.0
CVE-2006-6573 [MEDIUM] Citrix Security Bulletin CTX111695
Citrix Security Bulletin CTX111695
CVE References: CVE-2006-6573, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX110492
vendor_citrix·CVSS 6.5
CVE-2006-3779 [MEDIUM] Citrix Security Bulletin CTX110492
Citrix Security Bulletin CTX110492
CVE References: CVE-2006-3779, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX111615
vendor_citrix·CVSS 6.5
CVE-2006-6572 [MEDIUM] Citrix Security Bulletin CTX111615
Citrix Security Bulletin CTX111615
CVE References: CVE-2006-6572, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX111614
vendor_citrix·CVSS 6.5
CVE-2006-6572 [MEDIUM] Citrix Security Bulletin CTX111614
Citrix Security Bulletin CTX111614
CVE References: CVE-2006-6572, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Apache
Apache httpd: CVE-2005-3357
vendor_apache·CVSS 5.4
CVE-2005-3357 [LOW] Apache httpd: CVE-2005-3357
Apache httpd: CVE-2005-3357
A NULL pointer dereference flaw in mod_ssl was discovered affecting server configurations where an SSL virtual host is configured with access control and a custom 400 error document. A remote attacker could send a carefully crafted request to trigger this issue which would lead to a crash. This crash would only be a denial of service if using the worker MPM. Reported to security team 2005-12-05 Issue public 2005-12-12 Update 2.2.2 released 2006-05-01 Update 2.0.58 released 2006-05-01 Affects 2.2.0, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35 Copyright © 1997-2026 The Apache Software Foundation. Apache HTTP Server, Apache, the Apache logo and the Apache HTTP
GHSA
ENS DNSSEC Oracle Vulnerable to RSA Signature Forgery via Missing PKCS#1 v1.5 Padding Validation
ghsa·2026-02-25
CVE-2026-22866 [LOW] CWE-347 ENS DNSSEC Oracle Vulnerable to RSA Signature Forgery via Missing PKCS#1 v1.5 Padding Validation
ENS DNSSEC Oracle Vulnerable to RSA Signature Forgery via Missing PKCS#1 v1.5 Padding Validation
### Impact
The `RSASHA256Algorithm` and `RSASHA1Algorithm` contracts fail to validate PKCS#1 v1.5 padding structure when verifying RSA signatures. The contracts only check if the last 32 (or 20) bytes of the decrypted signature match the expected hash. This enables Bleichenbacher's 2006 signature forgery attack against DNS zones using RSA keys with low public exponents (e=3). Two ENS-supported TLDs (.cc and .name) use e=3 for their Key Signing Keys, allowing any domain under these TLDs to be fraudulently claimed on ENS without DNS ownership.
Affected contracts
Contract | Address | Status
-- | -- | --
RSASHA256Algorithm | 0x9D1B5a639597f558bC37Cf81813724076c5C1e96 | Vulnerable
RSASHA1Algorit
GHSA
GHSA-vcfg-6cwj-xppm: Double free vulnerability in tif_jpeg
ghsa_unreviewed·2022-05-03
CVE-2006-2026 [MEDIUM] CWE-119 GHSA-vcfg-6cwj-xppm: Double free vulnerability in tif_jpeg
Double free vulnerability in tif_jpeg.c in libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers errors related to "setfield/getfield methods in cleanup functions."
OSV
CVE-2006-2026: Double free vulnerability in tif_jpeg
osv·2006-04-25·CVSS 6.5
CVE-2006-2026 [MEDIUM] CVE-2006-2026: Double free vulnerability in tif_jpeg
Double free vulnerability in tif_jpeg.c in libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers errors related to "setfield/getfield methods in cleanup functions."
No detection rules found.
Bugzilla
CVE-2006-10003 perl-xml-parser: XML::Parser: Memory corruption via deeply nested XML files
bugzilla·2026-03-19·CVSS 9.8
CVE-2006-10003 [CRITICAL] CVE-2006-10003 perl-xml-parser: XML::Parser: Memory corruption via deeply nested XML files
CVE-2006-10003 perl-xml-parser: XML::Parser: Memory corruption via deeply nested XML files
XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack.
In the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer.
The bug can be observed when parsing an XML file with very deep element nesting
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:7680 https://access.redhat.com/errata/RHSA-2026:7680
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2026:7681 https://access.redhat.com/errata/
Bugzilla
CVE-2026-2006 mingw-postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code [fedora-42]
bugzilla·2026-02-12·CVSS 8.8
CVE-2026-2006 [HIGH] CVE-2026-2006 mingw-postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code [fedora-42]
CVE-2026-2006 mingw-postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a
Bugzilla
CVE-2026-2006 postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code
bugzilla·2026-02-12·CVSS 8.8
CVE-2026-2006 [HIGH] CVE-2026-2006 postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code
CVE-2026-2006 postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2026:3730 https://access.redhat.com/errata/RHSA-2026:3730
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:3887 https://access.redhat.com/errata/RHSA-2026:3887
---
This issue has been addresse
Bugzilla
CVE-2006-2026 security flaw
bugzilla·2018-08-16·CVSS 6.5
CVE-2006-2026 [MEDIUM] CVE-2006-2026 security flaw
CVE-2006-2026 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Double free vulnerability in tif_jpeg.c in libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers errors related to "setfield/getfield methods in cleanup functions."
Tenable
Marcus Ranum PaulDotCom Interview on Penetration Testing
blogs_tenable·2008-12-14·CVSS 7.8
[HIGH] Marcus Ranum PaulDotCom Interview on Penetration Testing
Blog / Company
Subscribe
# Marcus Ranum PaulDotCom Interview on Penetration Testing
Ron Gula
December 14, 2008
0 Min Read
Tenable's CSO, Marcus Ranum, was recently interviewed on the PaulDotCom Security Weekly podcast. They discussed a wide range of topics regarding penetration testing, secure coding, Marcus's "6 Dumbest Ideas" in computer security and much more.
- Full PaulDotCom show notes.
- Direct link to the show's MP3 audio recording.
- Tenable podcast and slides on Marcus's "6 Dumbest Ideas in Computer Security" presentation from from 2006.
- Very cool image of Marcus Ranum demonstrating cutting edge computer security practices.
## Related articles
March 17, 2026
## FAQ on CVE-2026-21514: OLE bypass N-Day in Microsoft Word
An N-day vulnerability in Microsoft Word exposes n
ftp://patches.sgi.com/support/free/security/advisories/20060501-01-U.aschttp://bugzilla.remotesensing.org/show_bug.cgi?id=1102http://secunia.com/advisories/19838http://secunia.com/advisories/19897http://secunia.com/advisories/19936http://secunia.com/advisories/19949http://secunia.com/advisories/19964http://secunia.com/advisories/20021http://secunia.com/advisories/20023http://secunia.com/advisories/20210http://secunia.com/advisories/20345http://secunia.com/advisories/20667http://sunsolve.sun.com/search/document.do?assetkey=1-26-103099-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-201332-1http://support.avaya.com/elmodocs2/security/ASA-2006-119.htmhttp://www.debian.org/security/2006/dsa-1054http://www.gentoo.org/security/en/glsa/glsa-200605-17.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:082http://www.novell.com/linux/security/advisories/2006_04_28.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0425.htmlhttp://www.securityfocus.com/bid/17733http://www.trustix.org/errata/2006/0024http://www.vupen.com/english/advisories/2006/1563https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189933https://exchange.xforce.ibmcloud.com/vulnerabilities/26135https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11389https://usn.ubuntu.com/277-1/ftp://patches.sgi.com/support/free/security/advisories/20060501-01-U.aschttp://bugzilla.remotesensing.org/show_bug.cgi?id=1102http://secunia.com/advisories/19838http://secunia.com/advisories/19897http://secunia.com/advisories/19936http://secunia.com/advisories/19949http://secunia.com/advisories/19964http://secunia.com/advisories/20021http://secunia.com/advisories/20023http://secunia.com/advisories/20210http://secunia.com/advisories/20345http://secunia.com/advisories/20667http://sunsolve.sun.com/search/document.do?assetkey=1-26-103099-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-201332-1http://support.avaya.com/elmodocs2/security/ASA-2006-119.htmhttp://www.debian.org/security/2006/dsa-1054http://www.gentoo.org/security/en/glsa/glsa-200605-17.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:082http://www.novell.com/linux/security/advisories/2006_04_28.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0425.htmlhttp://www.securityfocus.com/bid/17733http://www.trustix.org/errata/2006/0024http://www.vupen.com/english/advisories/2006/1563https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189933https://exchange.xforce.ibmcloud.com/vulnerabilities/26135https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11389https://usn.ubuntu.com/277-1/
2006-04-25
Published