CVE-2022-34266

The libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2 allows attackers to cause a denial of service (application crash), a different vulnerability than CVE-2022-0562. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to segfault after use of an uninitialized resource.

Published: Jul 19, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-34266
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.5
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWEs:

CWE-908

Affected Software
References

Software	From	Fixed in
libtiff / libtiff	4.0.3-35	4.0.3-35.x

https://alas.aws.amazon.com/AL2/ALAS-2022-1814.html
https://bugs.gentoo.org/859433

Vulnerability Database

289,599

CVE-2022-34266