CVE-2016-6223 Libtiff CVE debrief

Who should care

Teams that ingest, preview, convert, thumbnail, or otherwise parse TIFF files with libtiff-based software; vendors embedding libtiff; and security teams responsible for image-processing services or document pipelines exposed to untrusted files.

Technical summary

The NVD record describes a negative-index condition in tif_read.c affecting TIFFReadRawStrip1 and TIFFReadRawTile1 in libtiff before 4.0.7. The issue is reachable through malicious file content, with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H, indicating remote exploitation without privileges or user interaction and potential impact to confidentiality and availability. NVD maps the weakness to CWE-189 (numeric error).

Defensive priority

Immediate. If untrusted TIFF files can reach your environment, prioritize upgrading libtiff to 4.0.7 or later and validating dependent packages and applications that bundle or statically link the library.

Recommended defensive actions

• Upgrade libtiff to 4.0.7 or a vendor-fixed release that includes the upstream patch.
• Inventory applications and appliances that parse TIFF files and confirm whether they use libtiff 4.0.6 or earlier.
• Restrict or sandbox TIFF processing for services that accept untrusted uploads or content feeds.
• Apply vendor, distro, or platform advisories that reference this issue, including Debian and Gentoo guidance where relevant.
• Retest image-processing workflows after patching to confirm the vulnerable library version is no longer present.

Evidence notes

This debrief is based on the NVD CVE record and its cited references. The NVD entry identifies libtiff versions up to 4.0.6 as affected and links the upstream 4.0.7 patch page, Debian and Gentoo advisories, and July 2016 oss-security mailing-list posts. The CVE was published on 2017-01-23 and later modified on 2026-05-13 in the supplied record.

Official resources