PatchSiren cyber security CVE debrief

CVE-2016-10092 Libtiff CVE debrief

CVE-2016-10092 is a heap-based buffer overflow in LibTIFF’s readContigStripsIntoBuffer() function in tif_unix.c. NVD classifies it as CWE-119 and assigns CVSS v3.0 7.8 HIGH. Public references in the supplied record show early disclosure and remediation activity in January 2017, including oss-security discussion, a Gentoo advisory, and downstream vendor handling, while the CVE itself was published on 2017-03-01.

Vendor: Libtiff
Product: CVE-2016-10092
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-01
Original CVE updated: 2026-05-13
Advisory published: 2017-03-01
Advisory updated: 2026-05-13

Who should care

Administrators, developers, and distributors that process untrusted TIFF files with LibTIFF: desktop viewers, document conversion tools, scanners, image ingestion services, and any software that bundles or links against vulnerable LibTIFF releases.

Technical summary

The flaw is a heap-based buffer overflow in readContigStripsIntoBuffer() inside tif_unix.c. The CVE description says a crafted image can trigger the issue. The supplied NVD record maps it to CWE-119 and gives CVSS v3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The CVE description names multiple affected LibTIFF 3.9.x and 4.0.x releases, and the NVD CPE criteria explicitly marks LibTIFF 4.0.7 as vulnerable.

Defensive priority

High. This is memory corruption in a widely used image library, and the scoring indicates potentially severe confidentiality, integrity, and availability impact. Prioritize patching systems that accept TIFF content from users or external sources.

Recommended defensive actions

Apply the upstream fix referenced by commit 9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a, or upgrade to a vendor package that includes it.
Install the corresponding downstream security update where available; the supplied record links Debian DSA-3762 as one example.
Inventory applications and services that bundle or dynamically link against LibTIFF, especially TIFF preview, conversion, and ingestion workflows.
Temporarily restrict or closely control untrusted TIFF upload and processing paths until patched.
Re-test image-processing pipelines after updating to confirm the vulnerable code path is no longer reachable.

Evidence notes

The supplied NVD record states: heap-based buffer overflow in readContigStripsIntoBuffer() in tif_unix.c, CWE-119, CVSS v3.0 7.8 HIGH, and references Bugzilla issues 2620 and 2622, an oss-security thread dated 2017-01-01, Gentoo’s advisory/patch write-up, Debian DSA-3762, and upstream commit 9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a. The CVE was published on 2017-03-01. The record’s CPE criteria explicitly marks LibTIFF 4.0.7 vulnerable, while the CVE description lists additional affected 3.9.x and 4.0.x releases.

Official resources

CVE-2016-10092 CVE record
CVE.org
CVE-2016-10092 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Exploit, Issue Tracking
Source reference
[email protected] - Exploit, Issue Tracking
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory

Public discussion and patching references appear in early January 2017, and the CVE record was published on 2017-03-01. Use the CVE publish date for the vulnerability record; do not treat later modification dates as the original issue date.