CVE-2016-10095 Libtiff CVE debrief

Who should care

Security and platform teams that deploy LibTIFF directly or indirectly, especially in image viewers, document ingestion pipelines, thumbnailing/conversion services, scanners, and any application that parses untrusted TIFF files.

Technical summary

The flaw is a stack-based buffer overflow in _TIFFVGetField within tif_dir.c. According to NVD, a crafted TIFF file can trigger the overflow and crash the affected process, resulting in availability impact only. The record classifies the weakness as CWE-119. The published CVSS vector indicates no confidentiality or integrity impact, but high availability impact, with user interaction required.

Defensive priority

Medium. Raise to high if LibTIFF is used in automated or internet-facing workflows that process untrusted TIFF content.

Recommended defensive actions

• Inventory systems and applications that depend on LibTIFF, including indirect dependencies in image-processing stacks.
• Apply the vendor's patched LibTIFF release or downstream security update once confirmed by your distribution or vendor advisory.
• Restrict TIFF parsing to trusted inputs where possible, and sandbox or isolate conversion services that must handle external files.
• Add file-type validation and input handling controls so malformed or unexpected TIFFs are rejected before reaching LibTIFF.
• Monitor crash reports and security advisories related to LibTIFF, especially Debian, Gentoo, OSS-security, and NVD references linked to this CVE.

Evidence notes

All claims are drawn from the supplied NVD record and the listed references. The vulnerability description and CWE come from the NVD metadata. The publication date is taken from the CVE record, and the reference set includes the MapTools issue tracker entry, Debian DSA-3903, two oss-security posts, SecurityFocus BID 95178, and a Gentoo advisory. No fixed-version claim is made here because the supplied corpus does not confirm one.

Official resources