PatchSiren cyber security CVE debrief

CVE-2016-5319 Libtiff CVE debrief

CVE-2016-5319 is a publicly disclosed libtiff vulnerability first published on 2017-01-20. According to NVD, libtiff 4.0.6 and earlier are affected by a heap-based buffer overflow in tif_packbits.c. The issue is reachable through a crafted BMP file and is rated medium severity with a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating remote reachability but user interaction is required and the primary impact is availability.

Vendor: Libtiff
Product: CVE-2016-5319
CVSS: MEDIUM 6.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-20
Original CVE updated: 2026-05-13
Advisory published: 2017-01-20
Advisory updated: 2026-05-13

Who should care

Organizations that process untrusted image files with libtiff, especially software handling BMP inputs, should care. This includes application teams, desktop environment maintainers, image-processing pipelines, and security teams responsible for endpoint and server software that links against libtiff.

Technical summary

NVD maps CVE-2016-5319 to CWE-119 and describes a heap-based buffer overflow in tif_packbits.c affecting libtiff through version 4.0.6. The vulnerable path is associated with crafted BMP input, and the CVSS vector indicates network access, no privileges, and required user interaction. The documented impact in the supplied corpus is denial of service via application crash rather than confidentiality or integrity compromise.

Defensive priority

Medium. The vulnerability is publicly known, affects a widely used image library, and can cause crashes when processing attacker-controlled files. Priority should be elevated for systems that routinely ingest untrusted images or expose file conversion and preview workflows to users.

Recommended defensive actions

Confirm whether libtiff 4.0.6 or earlier is present in your software bill of materials or embedded dependencies.
Upgrade or replace affected libtiff versions using a vendor-maintained release that addresses the issue.
Restrict or sandbox image parsing components that accept untrusted BMP files.
Reduce exposure by validating file sources and limiting automatic preview or conversion of untrusted images.
Monitor crash reports and application logs for failures in tif_packbits.c or image-decoding paths involving libtiff.

Evidence notes

The CVE record and NVD entry identify the issue as a heap-based buffer overflow in tif_packbits.c affecting libtiff 4.0.6 and earlier. NVD assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H and CWE-119. Supplied references include oss-security mailing list posts, a SecurityFocus entry, and Gentoo GLSA 201701-16, which corroborate public disclosure and downstream awareness. No exploit code or patch details were provided in the supplied corpus.

Official resources

CVE-2016-5319 CVE record
CVE.org
CVE-2016-5319 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]

Publicly disclosed on 2017-01-20. The supplied NVD record is marked modified on 2026-05-13, but the CVE issue date remains 2017-01-20.