CVE-2016-9535
published 2016-11-22CVE-2016-9535: tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when…
PriorityP346critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.77%
90.8th percentile
tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow."
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_sierra_10.12.4_security_update_2017-001_el_capitan_and_security_update_201 | — | — |
| debian | tiff | < tiff 4.0.7-1 (bookworm) | tiff 4.0.7-1 (bookworm) |
| libtiff | libtiff | — | — |
| msrc | microsoft_office | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_21h2 | — | — |
| msrc | windows_10_version_22h2 | — | — |
| msrc | windows_11_version_22h2 | — | — |
| msrc | windows_11_version_23h2 | — | — |
| msrc | windows_11_version_24h2 | — | — |
| msrc | windows_11_version_25h2 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_msrc4.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
MITRE CVE-2016-9535: LibTIFF Heap Buffer Overflow Vulnerability
vendor_msrc·2025-10-14·CVSS 4.0
CVE-2016-9535 [CRITICAL] CWE-1395 MITRE CVE-2016-9535: LibTIFF Heap Buffer Overflow Vulnerability
MITRE CVE-2016-9535: LibTIFF Heap Buffer Overflow Vulnerability
Description: tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow."
MITRE created this CVE on their behalf. The documented Windows updates incorporate updates in LibTIFF which address this vulnerability. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.
Microsoft Graphics Component: Microsoft Graphics Component
MITRE: MITRE
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Rel
Apple
CVE-2016-9535: macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
vendor_apple·2017-03-27·CVSS 9.8
CVE-2016-9535 [CRITICAL] CVE-2016-9535: macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
Apple Security Update: About the security content of macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
Product: macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
CVE: CVE-2016-9535
Component: CVE-2016-9535
Ubuntu
LibTIFF vulnerabilities
vendor_ubuntu·2017-02-27
CVE-2015-7554 LibTIFF vulnerabilities
Title: LibTIFF vulnerabilities
Summary: LibTIFF could be made to crash or run programs as your login if it opened a
specially crafted file.
It was discovered that LibTIFF incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a specially
crafted image, a remote attacker could crash the application, leading to a
denial of service, or possibly execute arbitrary code with user privileges.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
libtiff: Predictor heap-buffer-overflow
vendor_redhat·2016-11-04·CVSS 9.8
CVE-2016-9535 [CRITICAL] CWE-122 libtiff: Predictor heap-buffer-overflow
libtiff: Predictor heap-buffer-overflow
tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow."
Package: libtiff (Red Hat Enterprise Linux 5) - Will not fix
Package: compat-libtiff3 (Red Hat Enterprise Linux 7) - Will not fix
Debian
CVE-2016-9535: tiff - tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead t...
vendor_debian·2016·CVSS 9.8
CVE-2016-9535 [CRITICAL] CVE-2016-9535: tiff - tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead t...
tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow."
Scope: local
bookworm: resolved (fixed in 4.0.7-1)
bullseye: resolved (fixed in 4.0.7-1)
forky: resolved (fixed in 4.0.7-1)
sid: resolved (fixed in 4.0.7-1)
trixie: resolved (fixed in 4.0.7-1)
VulDB
Apple macOS up to 10.12.3 tiffutil memory corruption (HT207615 / Nessus ID 97554)
vuldb·2026-05-30·CVSS 9.8
CVE-2016-9535 [CRITICAL] Apple macOS up to 10.12.3 tiffutil memory corruption (HT207615 / Nessus ID 97554)
A vulnerability was found in Apple macOS up to 10.12.3 and classified as problematic. This issue affects some unknown processing of the component tiffutil. The manipulation results in memory corruption.
This vulnerability was named CVE-2016-9535. The attack may be performed from remote. There is no available exploit.
It is suggested to upgrade the affected component.
VulDB
LibTIFF 4.0.6 Debug Mode/Release Mode tif_predict.c memory corruption (MSVR 35105 / Nessus ID 96704)
vuldb·2026-05-30·CVSS 9.8
CVE-2016-9535 [CRITICAL] LibTIFF 4.0.6 Debug Mode/Release Mode tif_predict.c memory corruption (MSVR 35105 / Nessus ID 96704)
A vulnerability has been found in LibTIFF 4.0.6 and classified as critical. Impacted is an unknown function of the file tif_predict.c of the component Debug Mode/Release Mode. Performing a manipulation results in memory corruption.
This vulnerability is reported as CVE-2016-9535. The attack is possible to be carried out remotely. No exploit exists.
The affected component should be upgraded.
GHSA
GHSA-9mr5-78vv-g6xr: tif_predict
ghsa_unreviewed·2022-05-14
CVE-2016-9535 [CRITICAL] CWE-119 GHSA-9mr5-78vv-g6xr: tif_predict
tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow."
OSV
CVE-2016-9535: tif_predict
osv·2016-11-22·CVSS 9.8
CVE-2016-9535 [CRITICAL] CVE-2016-9535: tif_predict
tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow."
No detection rules found.
No public exploits indexed.
Qualys
Microsoft and Adobe Patch Tuesday, October 2025 Security Update Review | Qualys
blogs_qualys·2025-10-14
Microsoft and Adobe Patch Tuesday, October 2025 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for October 2025
- Adobe Patches for October 2025
- Zero-day Vulnerabilities Patched in October Patch Tuesday Edition
- Critical Severity Vulnerabilities Patched in October Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
- Rapid Response with TruRisk Eliminate
- Automating Risk Elimination and Accelerating Response: Meet Agent Sara
- EVALUATE Vendor-Suggested Mitigation withPolicy Audit
- Qualys Monthly Webinar Series
As cybersecurity threats evolve, Microsoft’s October 2025 Patch Tuesday delivers one of the most comprehensive security updates of the year. Here’s a quick breakdown of what you need t
Qualys
Microsoft and Adobe Patch Tuesday, October 2025 Security Update Review
blogs_qualys·2025-10-14
Microsoft and Adobe Patch Tuesday, October 2025 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for October 2025
Adobe Patches for October 2025
Zero-day Vulnerabilities Patched in October Patch Tuesday Edition
Critical Severity Vulnerabilities Patched in October Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
Rapid Response with TruRisk Eliminate
Automating Risk Elimination and Accelerating Response: Meet Agent Sara
EVALUATE Vendor-Suggested Mitigation withPolicy Audit
Qualys Monthly Webinar Series
As cybersecurity threats evolve, Microsoft’s October 2025 Patch Tuesday delivers one of the most comprehensive security updates of the year. Here’s a quick breakdown of what you need to know.
## Mi
Bleepingcomputer
Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws
blogs_bleepingcomputer·2025-10-14·CVSS 7.8
[HIGH] Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws
## Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws
## Lawrence Abrams
80 Elevation of Privilege Vulnerabilities
11 Security Feature Bypass Vulnerabilities
31 Remote Code Execution Vulnerabilities
28 Information Disclosure Vulnerabilities
11 Denial of Service Vulnerabilities
10 Spoofing Vulnerabilities
When BleepingComputer reports on the Patch Tuesday security updates, we only count those released today by Microsoft. Therefore, the number of flaws does not include those fixed in Azure, Mariner, Microsoft Edge, and other vulnerabilities earlier this month.
Notably, Windows 10 reaches the end of support today , with this being the last Patch Tuesday where Microsoft provides free security updates to the venerable operating system.
To continue receiving security upd
Crowdstrike
October 2025 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] October 2025 Patch Tuesday: Updates and Analysis
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Bugzilla
CVE-2016-9448 CVE-2016-9453 CVE-2016-9532 CVE-2016-9533 CVE-2016-9534 CVE-2016-9535 CVE-2016-9536 CVE-2016-9537 CVE-2016-9538 CVE-2016-9539 CVE-2016-9540 mingw-libtiff: various flaws [fedora-all]
bugzilla·2016-11-23·CVSS 7.5
CVE-2016-9448 [HIGH] CVE-2016-9448 CVE-2016-9453 CVE-2016-9532 CVE-2016-9533 CVE-2016-9534 CVE-2016-9535 CVE-2016-9536 CVE-2016-9537 CVE-2016-9538 CVE-2016-9539 CVE-2016-9540 mingw-libtiff: various flaws [fedora-all]
CVE-2016-9448 CVE-2016-9453 CVE-2016-9532 CVE-2016-9533 CVE-2016-9534 CVE-2016-9535 CVE-2016-9536 CVE-2016-9537 CVE-2016-9538 CVE-2016-9539 CVE-2016-9540 mingw-libtiff: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs bei
Bugzilla
CVE-2016-9448 CVE-2016-9453 CVE-2016-9532 CVE-2016-9533 CVE-2016-9534 CVE-2016-9535 CVE-2016-9536 CVE-2016-9537 CVE-2016-9538 CVE-2016-9539 CVE-2016-9540 mingw-libtiff: various flaws [epel-7]
bugzilla·2016-11-23·CVSS 7.5
CVE-2016-9448 [HIGH] CVE-2016-9448 CVE-2016-9453 CVE-2016-9532 CVE-2016-9533 CVE-2016-9534 CVE-2016-9535 CVE-2016-9536 CVE-2016-9537 CVE-2016-9538 CVE-2016-9539 CVE-2016-9540 mingw-libtiff: various flaws [epel-7]
CVE-2016-9448 CVE-2016-9453 CVE-2016-9532 CVE-2016-9533 CVE-2016-9534 CVE-2016-9535 CVE-2016-9536 CVE-2016-9537 CVE-2016-9538 CVE-2016-9539 CVE-2016-9540 mingw-libtiff: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs be
Bugzilla
CVE-2016-9535 libtiff: Predictor heap-buffer-overflow
bugzilla·2016-11-23·CVSS 9.8
CVE-2016-9535 [CRITICAL] CVE-2016-9535 libtiff: Predictor heap-buffer-overflow
CVE-2016-9535 libtiff: Predictor heap-buffer-overflow
It was found that tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling.
Upstream patch:
https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-5be5ce02d0dea67050d5b2a10102d1ba
Discussion:
Created libtiff tracking bugs for this issue:
Affects: fedora-all [bug 1397781]
---
Created mingw-libtiff tracking bugs for this issue:
Affects: fedora-all [bug 1397782]
Affects: epel-7 [bug 1397783]
---
Hi Adam,
is the link correct? https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9535 mentions the two commits:
https://github.com/vadz/libtiff
Bugzilla
CVE-2016-9448 CVE-2016-9453 CVE-2016-9532 CVE-2016-9533 CVE-2016-9534 CVE-2016-9535 CVE-2016-9536 CVE-2016-9537 CVE-2016-9538 CVE-2016-9539 CVE-2016-9540 libtiff: various flaws [fedora-all]
bugzilla·2016-11-23·CVSS 7.5
CVE-2016-9448 [HIGH] CVE-2016-9448 CVE-2016-9453 CVE-2016-9532 CVE-2016-9533 CVE-2016-9534 CVE-2016-9535 CVE-2016-9536 CVE-2016-9537 CVE-2016-9538 CVE-2016-9539 CVE-2016-9540 libtiff: various flaws [fedora-all]
CVE-2016-9448 CVE-2016-9453 CVE-2016-9532 CVE-2016-9533 CVE-2016-9534 CVE-2016-9535 CVE-2016-9536 CVE-2016-9537 CVE-2016-9538 CVE-2016-9539 CVE-2016-9540 libtiff: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fix
http://rhn.redhat.com/errata/RHSA-2017-0225.htmlhttp://www.debian.org/security/2017/dsa-3844http://www.securityfocus.com/bid/94484http://www.securityfocus.com/bid/94744https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33http://rhn.redhat.com/errata/RHSA-2017-0225.htmlhttp://www.debian.org/security/2017/dsa-3844http://www.securityfocus.com/bid/94484http://www.securityfocus.com/bid/94744https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
2016-11-22
Published