Your submission was sent successfully! Close


Published: 11 May 2022

LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:624, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.


This CVE has the same fix as the one for CVE-2022-1622.
according to the issue in the libtiff git (410), this only affects
version 4.3.0 onwards, more specifically, versions that include
commit 3079627e. Further investigation has confirmed that versions
below 4.3.0 seem to be not affected, as the reproducer does not
work, and there are no SEGV errors. Impish and jammy, which
include version 4.3.0, also do not seem to be affected, as results
from running the POCs with their versions are different than the
ones obtained when the specific commit mentioned in the 410 issue
by the issue reporter is used with the same POC files (commit
b51bb157). For this reason, and because jammy and earlier do not
include code from commit 3079627e, these releases will be marked
as not vulnerable.


CVSS 3 base score: 5.5


Package Release Status
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
impish Not vulnerable
(code not present)
jammy Not vulnerable
(code not present)
trusty Not vulnerable
(code not present)
Released (4.4.0)
xenial Not vulnerable
(code not present)