Vulnerabilities > CVE-2022-34266 - Use of Uninitialized Resource vulnerability in Libtiff 4.0.335

CVSS 5.5 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

local

low complexity

libtiff

CWE-908

NVD

Published: 2022-07-19

Updated: 2022-09-23

Summary

The libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2 allows attackers to cause a denial of service (application crash), a different vulnerability than CVE-2022-0562. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to segfault after use of an uninitialized resource.

Vulnerable Configurations

Part	Description	Count
Application	Libtiff Libtiff Libtiff 4.0.3-35	1
OS	Amazon Amazon Linux 2 -	1

Common Weakness Enumeration (CWE)

CWE-908 - Use of Uninitialized Resource

References

https://alas.aws.amazon.com/AL2/ALAS-2022-1814.html
https://bugs.gentoo.org/859433