Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-2285Improper Restriction of Operations within the Bounds of a Memory Buffer in Tiff

CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer11 documents9 sources
Severity
4.3MEDIUMNVD
OSV6.8
EPSS
16.8%
top 5.04%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Debian TiffLibtiff
Timeline
PublishedJul 1
Latest updateSep 23

Description

Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allows context-dependent attackers to cause a denial of service (crash) via a crafted TIFF image, a different vulnerability than CVE-2008-2327.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

NVDlibtiff/libtiff3.8.2
debiandebian/tiff< tiff 3.8.2-12 (bookworm)

🔴Vulnerability Details

2
GHSA
GHSA-ggpg-hpjr-gqrh: Buffer underflow in the LZWDecodeCompat function in libtiff 32022-05-02
OSV
CVE-2009-2285: Buffer underflow in the LZWDecodeCompat function in libtiff 32009-07-01

💥Exploits & PoCs

2
Exploit-DB
LibTIFF - 'LZWDecodeCompat()' Remote Buffer Underflow2009-11-12
Exploit-DB
LibTIFF 3.8.2 - 'LZWDecodeCompat()' Remote Buffer Underflow2009-05-21

📋Vendor Advisories

3
Ubuntu
tiff vulnerability2009-07-06
Red Hat
libtiff: LZWDecodeCompat underflow2009-01-03
Debian
CVE-2009-2285: tiff - Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allows context...2009

📄Research Papers

1
arXiv
ShadowBound: Efficient Heap Memory Protection Through Advanced Metadata Management and Customized Compiler Optimization2024-09-23

💬Community

2
Bugzilla
CVE-2009-2285 libtiff: LZWDecodeCompat underflow2009-07-13
Bugzilla
CVE-2009-2285 libtiff: LZWDecodeCompat underflow2009-06-22