PatchSiren cyber security CVE debrief
CVE-2016-5315 Debian CVE debrief
CVE-2016-5315 is a memory-safety issue in libtiff's setByteArray function that can trigger an out-of-bounds read when a crafted TIFF image is processed, resulting in denial of service. NVD assigns it CVSS 3.0 5.5 MEDIUM (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) and maps it to CWE-125.
- Vendor
- Debian
- Product
- CVE-2016-5315
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-03-07
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-03-07
- Advisory updated
- 2026-05-13
Who should care
Organizations that use libtiff directly or indirectly in applications, services, or desktop workflows that open TIFF images should care most, especially where users can supply untrusted files. Debian-based systems and downstream packagers should also check whether their installed libtiff packages include the fix referenced by vendor advisories.
Technical summary
The vulnerable code path is in libtiff 4.0.6 and earlier, where setByteArray in tif_dir.c can read past valid bounds when handling a crafted TIFF image. The NVD record classifies the weakness as CWE-125 (out-of-bounds read) and rates the impact as availability-only denial of service. The CVSS vector supplied by NVD is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, so user interaction during image processing is part of the exposure model.
Defensive priority
Medium. The issue does not indicate confidentiality or integrity impact in the NVD vector, but it can crash affected software and is reachable through image handling paths that may be widely exposed to untrusted content.
Recommended defensive actions
- Upgrade libtiff to a patched version provided by your upstream or distribution package maintainer.
- Review systems that ingest TIFF files to identify where untrusted images can reach libtiff.
- Apply distribution/vendor guidance for affected platforms, including the Debian advisory referenced in the CVE record if you manage Debian systems.
- If immediate patching is not possible, reduce exposure by limiting or sandboxing TIFF processing from untrusted sources.
Evidence notes
All core claims are taken from the supplied NVD/CVE corpus: the description states that setByteArray in tif_dir.c in libtiff 4.0.6 and earlier allows denial of service via an out-of-bounds read on crafted TIFF input; NVD lists CWE-125 and CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The referenced advisory set includes Debian DSA-3762, an oss-security mailing list post, SecurityFocus BID 91204, Red Hat bug 1346694, and Gentoo GLSA 201701-16.
Official resources
-
CVE-2016-5315 CVE record
CVE.org
-
CVE-2016-5315 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Publicly disclosed in the CVE/NVD record on 2017-03-07; the supplied record was last modified on 2026-05-13.