CVE-2023-26965 - Vulnerability Details - OpenCVE

loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00009.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Libtiff	Libtiff
Redhat	Enterprise Linux

Configuration 1 [-]

cpe:2.3:a:libtiff:libtiff:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 9
libtiff-0:4.4.0-10.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:6575	2023-11-07T00:00:00Z

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-3513-1	tiff security update
Debian DLA	DLA-4026-1	tiff security update
EUVD	EUVD-2023-30755	loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image.
Ubuntu USN	USN-6229-1	LibTIFF vulnerabilities
Ubuntu USN	USN-6290-1	LibTIFF vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://gitlab.com/libtiff/libtiff/-/merge_requests/472
https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html
https://nvd.nist.gov/vuln/detail/CVE-2023-26965
https://security.netapp.com/advisory/ntap-20230706-0009/
https://www.cve.org/CVERecord?id=CVE-2023-26965

History

Mon, 06 Jan 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-06-14T00:00:00

Updated: 2025-01-06T16:24:33.922Z

Reserved: 2023-02-27T00:00:00

Link: CVE-2023-26965

Vulnrichment

Updated: 2024-08-02T12:01:31.508Z

NVD

Status : Modified

Published: 2023-06-14T21:15:09.483

Modified: 2025-01-06T17:15:12.030

Link: CVE-2023-26965

Redhat

Severity : Moderate

Publid Date: 2023-06-14T00:00:00Z

Links: CVE-2023-26965 - Bugzilla

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-26965", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-01-06T16:24:33.922Z", "dateReserved": "2023-02-27T00:00:00", "datePublished": "2023-06-14T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-01T00:00:00"}, "descriptions": [{"lang": "en", "value": "loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/472"}, {"url": "https://security.netapp.com/advisory/ntap-20230706-0009/"}, {"name": "[debian-lts-announce] 20230731 [SECURITY] [DLA 3513-1] tiff security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:01:31.508Z"}, "title": "CVE Program Container", "references": [{"url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/472", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230706-0009/", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20230731 [SECURITY] [DLA 3513-1] tiff security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-787", "lang": "en", "description": "CWE-787 Out-of-bounds Write"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-06T16:22:37.395080Z", "id": "CVE-2023-26965", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T16:24:33.922Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/472", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230706-0009/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html", "name": "[debian-lts-announce] 20230731 [SECURITY] [DLA 3513-1] tiff security update", "tags": ["mailing-list", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:01:31.508Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-26965", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-06T16:22:37.395080Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T16:24:28.542Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/472"}, {"url": "https://security.netapp.com/advisory/ntap-20230706-0009/"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html", "name": "[debian-lts-announce] 20230731 [SECURITY] [DLA 3513-1] tiff security update", "tags": ["mailing-list"]}], "descriptions": [{"lang": "en", "value": "loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-01T00:00:00"}}}, "cveMetadata": {"cveId": "CVE-2023-26965", "state": "PUBLISHED", "dateUpdated": "2025-01-06T16:24:33.922Z", "dateReserved": "2023-02-27T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-06-14T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libtiff:libtiff:*:*:*:*:*:*:*:*", "matchCriteriaId": "A17B02C6-10A4-4AAF-9D59-BEA968264451", "versionEndIncluding": "4.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image."}], "id": "CVE-2023-26965", "lastModified": "2025-01-06T17:15:12.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-06-14T21:15:09.483", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Patch"], "url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/472"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20230706-0009/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch"], "url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/472"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20230706-0009/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:6575", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "libtiff-0:4.4.0-10.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}], "bugzilla": {"description": "libtiff: heap-based use after free via a crafted TIFF image in loadImage() in tiffcrop.c", "id": "2215206", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215206"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image.", "A heap use-after-free vulnerability was found in LibTIFF's tiffcrop utility in the loadImage() function. This flaw allows an attacker to pass a crafted TIFF image file to the tiffcrop utility, which causes an out-of-bounds write access, resulting in an application crash, eventually leading to a denial of service."], "name": "CVE-2023-26965", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "libtiff", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "compat-libtiff3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "libtiff", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "compat-libtiff3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "libtiff", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2023-06-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-26965\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-26965"], "statement": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-416: Use After Free vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nAccess to the platform is granted only after successful hard token-based multi-factor authentication (MFA) and is governed by least privilege to ensure that only authorized users and roles can execute or modify code. Red Hat also enforces least functionality, enabling only essential features, services, and ports. Hardening guidelines ensure the most restrictive settings required for operations, while baseline configurations enforce safe memory allocation and deallocation practices to reduce the risk of use-after-free vulnerabilities. The environment employs IPS/IDS and antimalware solutions to detect and prevent malicious code and provide real-time visibility into memory usage, lowering the risk of arbitrary code execution. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of denial-of-service (DoS) attacks. In the event of successful exploitation, process isolation prevents a compromised process from accessing memory freed by another, containing potential impact. Finally, memory protection mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) enhance resilience against memory-related vulnerabilities.", "threat_severity": "Moderate"}