PatchSiren cyber security CVE debrief

CVE-2016-9453 Debian CVE debrief

CVE-2016-9453 is an out-of-bounds write flaw in LibTIFF's t2p_readwrite_pdf_image_tile function. The issue can lead to a crash and, according to the CVE description, may also permit arbitrary code execution when processing a crafted JPEG file with a TIFFTAG_JPEGTABLES value of length one. NVD rates the issue HIGH with CVSS 7.8 and lists a local, user-interactive attack vector.

Vendor: Debian
Product: CVE-2016-9453
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Security teams and administrators responsible for systems that bundle or depend on LibTIFF, especially where untrusted image files are processed. The NVD record also maps affected Debian and openSUSE platform CPEs, so distro package maintainers and users of packaged libtiff builds should review exposure.

Technical summary

The vulnerable path is t2p_readwrite_pdf_image_tile in LibTIFF. The flaw is classified as CWE-787 (out-of-bounds write). Per the CVE description, a specially crafted JPEG with TIFFTAG_JPEGTABLES of length one can trigger the memory corruption. NVD's CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, which indicates local execution with user interaction despite the broader 'remote attackers' wording in the description. NVD's CPE criteria mark libtiff versions before 4.0.7 as vulnerable and also list Debian 8.0, Debian 9.0, and openSUSE 13.2 as affected platform entries.

Defensive priority

High. This is a memory corruption bug in a widely used image library with crash and possible code execution impact, and the CVSS score is 7.8.

Recommended defensive actions

Upgrade LibTIFF to version 4.0.7 or later, or apply the vendor backport that removes the vulnerable condition.
Check whether any packaged Debian or openSUSE builds in your environment include the fixed LibTIFF release.
Inventory applications and services that parse untrusted TIFF/JPEG content through LibTIFF.
Prioritize remediation for workflows that accept user-uploaded or externally supplied images.
Validate security advisories from your distribution or application vendor before and after patching to confirm the vulnerable package is replaced.

Evidence notes

This debrief is based on the CVE description, NVD CVSS vector and weakness data, NVD CPE criteria, and the provided references: Bugzilla issue 2579, oss-security posting from 2016-11-19, Debian DSA-3762, openSUSE security announce, SecurityFocus BID 94406, and Gentoo GLSA 201701-16. The CVE record was published on 2017-01-27.

Official resources

CVE-2016-9453 CVE record
CVE.org
CVE-2016-9453 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Issue Tracking, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory

The issue was publicly discussed in oss-security on 2016-11-19 and was published as a CVE record on 2017-01-27. The NVD record was later modified on 2026-05-13, but that date is only record maintenance context, not the vulnerability's issue