CVE-2022-2868
published 2022-08-17CVE-2022-2868: libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to…
PriorityP419medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
0.30%
21.8th percentile
libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | tiff | < tiff 4.4.0~rc1-1 (bookworm) | tiff 4.4.0~rc1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| libtiff | libtiff | < 4.4.0 | 4.4.0 |
| libtiff | libtiff | — | — |
| msrc | cbl2_libtiff_4.5.0-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_libtiff_4.5.0-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
osv6.5MEDIUM
vendor_ubuntu6.5MEDIUM
vendor_debian5.5MEDIUM
vendor_msrc5.5MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
LibTIFF vulnerabilities
vendor_ubuntu·2022-11-08·CVSS 6.5
CVE-2022-2869 [MEDIUM] LibTIFF vulnerabilities
Title: LibTIFF vulnerabilities
Summary: Several security issues were fixed in LibTIFF.
It was discovered that LibTIFF incorrectly handled certain memory operations
when using tiffcrop. An attacker could trick a user into processing a specially
crafted tiff image file and potentially use this issue to cause a denial of
service. This issue only affected Ubuntu 22.10. (CVE-2022-2519, CVE-2022-2520,
CVE-2022-2521, CVE-2022-2953)
It was discovered that LibTIFF did not properly perform bounds checking in
certain operations when using tiffcrop. An attacker could trick a user into
processing a specially crafted tiff image file and potentially use this issue
to allow for information disclosure or to cause the application to crash. This
issue only affected to Ubuntu 18.04 LTS, Ubuntu 20.04 LTS an
Ubuntu
LibTIFF vulnerabilities
vendor_ubuntu·2022-09-08·CVSS 5.5
CVE-2022-2869 [MEDIUM] LibTIFF vulnerabilities
Title: LibTIFF vulnerabilities
Summary: Several security issues were fixed in LibTIFF.
It was discovered that LibTIFF incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service,
or possibly execute arbitrary code. (CVE-2022-2867, CVE-2022-2869)
It was discovered that LibTIFF incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2022-2868)
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.
vendor_msrc·2022-08-09·CVSS 5.5
CVE-2022-2868 [MEDIUM] CWE-1284 libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.
libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to ref
Debian
CVE-2022-2868: tiff - libtiff's tiffcrop utility has a improper input validation flaw that can lead to...
vendor_debian·2022·CVSS 5.5
CVE-2022-2868 [MEDIUM] CVE-2022-2868: tiff - libtiff's tiffcrop utility has a improper input validation flaw that can lead to...
libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.
Scope: local
bookworm: resolved (fixed in 4.4.0~rc1-1)
bullseye: resolved (fixed in 4.2.0-1+deb11u3)
forky: resolved (fixed in 4.4.0~rc1-1)
sid: resolved (fixed in 4.4.0~rc1-1)
trixie: resolved (fixed in 4.4.0~rc1-1)
Red Hat
libtiff: Invalid crop_width and/or crop_length could cause an out-of-bounds read in reverseSamples16bits()
vendor_redhat·2021-12-08·CVSS 5.5
CVE-2022-2868 [MEDIUM] CWE-1284 libtiff: Invalid crop_width and/or crop_length could cause an out-of-bounds read in reverseSamples16bits()
libtiff: Invalid crop_width and/or crop_length could cause an out-of-bounds read in reverseSamples16bits()
libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.
An improper input validation flaw was found in libtiff's tiffcrop utility. This issue can lead to an out-of-bounds read and cause a crash if an attacker can supply a crafted file to tiffcrop.
Statement: This flaw is present in the tiffcrop tool only and not in the libtiff library code.
Package: libtiff (Red Hat Enterprise Linux 6) - Out of support scope
Package: compat-libtiff3 (Red Hat Enterprise Linux 7) - Out of support scope
Package: libtiff (Red Hat Enterprise Linux 7) - Out of support s
VulDB
LibTIFF tiffcrop out-of-bounds (EUVD-2022-35102 / Nessus ID 274520)
vuldb·2026-05-28·CVSS 5.5
CVE-2022-2868 [MEDIUM] LibTIFF tiffcrop out-of-bounds (EUVD-2022-35102 / Nessus ID 274520)
A vulnerability, which was classified as problematic, has been found in LibTIFF. This impacts an unknown function of the component tiffcrop. Performing a manipulation results in out-of-bounds read.
This vulnerability is known as CVE-2022-2868. Remote exploitation of the attack is possible. No exploit is available.
OSV
tiff vulnerabilities
osv·2022-11-08·CVSS 6.5
CVE-2022-2519 [MEDIUM] tiff vulnerabilities
tiff vulnerabilities
It was discovered that LibTIFF incorrectly handled certain memory operations
when using tiffcrop. An attacker could trick a user into processing a specially
crafted tiff image file and potentially use this issue to cause a denial of
service. This issue only affected Ubuntu 22.10. (CVE-2022-2519, CVE-2022-2520,
CVE-2022-2521, CVE-2022-2953)
It was discovered that LibTIFF did not properly perform bounds checking in
certain operations when using tiffcrop. An attacker could trick a user into
processing a specially crafted tiff image file and potentially use this issue
to allow for information disclosure or to cause the application to crash. This
issue only affected to Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-2867, CVE-2022-2868, CVE-2022-2869)
OSV
tiff vulnerabilities
osv·2022-09-08·CVSS 5.5
CVE-2022-2867 [MEDIUM] tiff vulnerabilities
tiff vulnerabilities
It was discovered that LibTIFF incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service,
or possibly execute arbitrary code. (CVE-2022-2867, CVE-2022-2869)
It was discovered that LibTIFF incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2022-2868)
GHSA
GHSA-8rfm-2x4g-8xh5: libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is abl
ghsa_unreviewed·2022-08-18
CVE-2022-2868 [HIGH] CWE-125 GHSA-8rfm-2x4g-8xh5: libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is abl
libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.
OSV
CVE-2022-2868: libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is abl
osv·2022-08-17·CVSS 5.5
CVE-2022-2868 [MEDIUM] CVE-2022-2868: libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is abl
libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugzilla.redhat.com/show_bug.cgi?id=2118863https://lists.debian.org/debian-lts-announce/2023/01/msg00018.htmlhttps://www.debian.org/security/2023/dsa-5333https://bugzilla.redhat.com/show_bug.cgi?id=2118863https://lists.debian.org/debian-lts-announce/2023/01/msg00018.htmlhttps://www.debian.org/security/2023/dsa-5333
2022-08-17
Published