CVE-2016-9535

EUVD-2016-10341
tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow."
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
Affected Products (NVD)
VendorProductVersion
libtifflibtiff
4.0.6
𝑥
= Vulnerable software versions
Windows Releases
Platform
Version
Windows 10
(x64, x86)
KB5066837
1607 (x64, x86)
KB5066836
1809 (x64, x86)
KB5066586
21H2 (arm64, x64, x86)
KB5066791
22H2 (arm64, x64, x86)
KB5066791
Windows 11
22H2 (arm64, x64)
KB5066793
23H2 (arm64, x64)
KB5066793
24H2 (arm64, x64)
KB5066835
25H2 (arm64, x64)
KB5066835
Windows Server 2008
Service Pack 2 (x64, x86)
KB5066877
Service Pack 2 Server Core (x64, x86)
KB5066877
Windows Server 2008 R2
Service Pack 1 (x64)
KB5066876
Service Pack 1 Server Core (x64)
KB5066876
Windows Server 2012
Server Core
KB5066875
Standard
KB5066875
Windows Server 2012 R2
Server Core
KB5066873
Standard
KB5066873
Windows Server 2016
Server Core
KB5066836
Standard
KB5066836
Windows Server 2019
Server Core
KB5066586
Standard
KB5066586
Windows Server 2022
23H2 Server Core
KB5066780
Server Core
KB5066782
Standard
KB5066782
Windows Server 2025
Server Core
KB5066835
Standard
KB5066835
Debian logo
Debian Releases
Debian Product
Codename
tiff
bookworm
4.5.0-6+deb12u1
fixed
bookworm (security)
4.5.0-6+deb12u1
fixed
bullseye
4.2.0-1+deb11u5
fixed
bullseye (security)
4.2.0-1+deb11u5
fixed
sid
4.5.1+git230720-5
fixed
trixie
4.5.1+git230720-5
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tiff
artful
not-affected
precise
ignored
trusty
Fixed 4.0.3-7ubuntu0.6
released
xenial
Fixed 4.0.6-1ubuntu0.1
released
yakkety
Fixed 4.0.6-2ubuntu0.1
released
zesty
not-affected
Common Weakness Enumeration
References
http://rhn.redhat.com/errata/RHSA-2017-0225.html
http://www.debian.org/security/2017/dsa-3844
http://www.securityfocus.com/bid/94484
http://www.securityfocus.com/bid/94744
https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
http://rhn.redhat.com/errata/RHSA-2017-0225.html
http://www.debian.org/security/2017/dsa-3844
http://www.securityfocus.com/bid/94484
http://www.securityfocus.com/bid/94744
https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33