CVE-2022-3570
published 2022-10-21CVE-2022-3570: Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via…
PriorityP418medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
0.48%
38.2th percentile
Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | tiff | < tiff 4.4.0-5 (bookworm) | tiff 4.4.0-5 (bookworm) |
| libtiff | libtiff | — | — |
| libtiff | libtiff | 3.9.0 – 4.4.0 | — |
| msrc | cbl2_libtiff_4.4.0-5_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_libtiff_4.4.0-4_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
osv6.5MEDIUM
vendor_debian7.7HIGH
vendor_redhat7.7HIGH
vendor_ubuntu7.7HIGH
vendor_msrc5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
tiff vulnerabilities
osv·2022-11-08·CVSS 6.5
CVE-2022-2519 [MEDIUM] tiff vulnerabilities
tiff vulnerabilities
It was discovered that LibTIFF incorrectly handled certain memory operations
when using tiffcrop. An attacker could trick a user into processing a specially
crafted tiff image file and potentially use this issue to cause a denial of
service. This issue only affected Ubuntu 22.10. (CVE-2022-2519, CVE-2022-2520,
CVE-2022-2521, CVE-2022-2953)
It was discovered that LibTIFF did not properly perform bounds checking in
certain operations when using tiffcrop. An attacker could trick a user into
processing a specially crafted tiff image file and potentially use this issue
to allow for information disclosure or to cause the application to crash. This
issue only affected to Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-2867, CVE-2022-2868, CVE-2022-2869)
OSV
tiff vulnerabilities
osv·2022-10-27·CVSS 5.5
CVE-2022-3570 [MEDIUM] tiff vulnerabilities
tiff vulnerabilities
Chintan Shah discovered that LibTIFF incorrectly handled memory in
certain conditions. An attacker could trick a user into processing a specially
crafted image file and potentially use this issue to allow for information
disclosure or to cause the application to crash. (CVE-2022-3570)
It was discovered that LibTIFF incorrectly handled memory in certain
conditions. An attacker could trick a user into processing a specially
crafted tiff file and potentially use this issue to cause a denial of service.
(CVE-2022-3598)
GHSA
GHSA-w3vw-h42p-vjw6: Multiple heap buffer overflows in tiffcrop
ghsa_unreviewed·2022-10-21
CVE-2022-3570 [CRITICAL] CWE-787 GHSA-w3vw-h42p-vjw6: Multiple heap buffer overflows in tiffcrop
Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact
OSV
CVE-2022-3570: Multiple heap buffer overflows in tiffcrop
osv·2022-10-21·CVSS 5.5
CVE-2022-3570 [MEDIUM] CVE-2022-3570: Multiple heap buffer overflows in tiffcrop
Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact
Ubuntu
LibTIFF vulnerabilities
vendor_ubuntu·2022-11-08·CVSS 6.5
CVE-2022-2869 [MEDIUM] LibTIFF vulnerabilities
Title: LibTIFF vulnerabilities
Summary: Several security issues were fixed in LibTIFF.
It was discovered that LibTIFF incorrectly handled certain memory operations
when using tiffcrop. An attacker could trick a user into processing a specially
crafted tiff image file and potentially use this issue to cause a denial of
service. This issue only affected Ubuntu 22.10. (CVE-2022-2519, CVE-2022-2520,
CVE-2022-2521, CVE-2022-2953)
It was discovered that LibTIFF did not properly perform bounds checking in
certain operations when using tiffcrop. An attacker could trick a user into
processing a specially crafted tiff image file and potentially use this issue
to allow for information disclosure or to cause the application to crash. This
issue only affected to Ubuntu 18.04 LTS, Ubuntu 20.04 LTS an
Ubuntu
LibTIFF vulnerabilities
vendor_ubuntu·2022-10-27·CVSS 7.7
CVE-2022-3570 [HIGH] LibTIFF vulnerabilities
Title: LibTIFF vulnerabilities
Summary: Several security issues were fixed in LibTIFF.
Chintan Shah discovered that LibTIFF incorrectly handled memory in
certain conditions. An attacker could trick a user into processing a specially
crafted image file and potentially use this issue to allow for information
disclosure or to cause the application to crash. (CVE-2022-3570)
It was discovered that LibTIFF incorrectly handled memory in certain
conditions. An attacker could trick a user into processing a specially
crafted tiff file and potentially use this issue to cause a denial of service.
(CVE-2022-3598)
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result in
vendor_msrc·2022-10-11·CVSS 5.5
CVE-2022-3570 [HIGH] CWE-787 Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result in
Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash potential information disclosure or any other context-dependent impact
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog po
Red Hat
libtiff: heap Buffer overflows in tiffcrop.c
vendor_redhat·2022-02-24·CVSS 7.7
CVE-2022-3570 [HIGH] CWE-122 libtiff: heap Buffer overflows in tiffcrop.c
libtiff: heap Buffer overflows in tiffcrop.c
Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact
A heap-based buffer overflow flaw was found in Libtiff's tiffcrop utility. This issue occurs during the conversion of a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes an out-of-bound access resulting an application crash, eventually leading to a denial of service.
Package: libtiff (Red Hat Enterprise Linux 6) - Out of support scope
Package: compat-libtiff3 (Red Hat Enterprise Linux 7) - Out of su
Debian
CVE-2022-3570: tiff - Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version ...
vendor_debian·2022·CVSS 7.7
CVE-2022-3570 [HIGH] CVE-2022-3570: tiff - Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version ...
Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact
Scope: local
bookworm: resolved (fixed in 4.4.0-5)
bullseye: resolved (fixed in 4.2.0-1+deb11u3)
forky: resolved (fixed in 4.4.0-5)
sid: resolved (fixed in 4.4.0-5)
trixie: resolved (fixed in 4.4.0-5)
No detection rules found.
No public exploits indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3570.jsonhttps://gitlab.com/libtiff/libtiff/-/commit/bd94a9b383d8755a27b5a1bc27660b8ad10b094chttps://gitlab.com/libtiff/libtiff/-/issues/381https://gitlab.com/libtiff/libtiff/-/issues/386https://lists.debian.org/debian-lts-announce/2023/01/msg00018.htmlhttps://security.netapp.com/advisory/ntap-20230203-0002/https://www.debian.org/security/2023/dsa-5333https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3570.jsonhttps://gitlab.com/libtiff/libtiff/-/commit/bd94a9b383d8755a27b5a1bc27660b8ad10b094chttps://gitlab.com/libtiff/libtiff/-/issues/381https://gitlab.com/libtiff/libtiff/-/issues/386https://lists.debian.org/debian-lts-announce/2023/01/msg00018.htmlhttps://security.netapp.com/advisory/ntap-20230203-0002/https://www.debian.org/security/2023/dsa-5333
2022-10-21
Published