PatchSiren cyber security CVE debrief

CVE-2017-5563 Libtiff CVE debrief

CVE-2017-5563 is a high-severity libtiff flaw affecting version 4.0.7. According to NVD, a crafted BMP image processed by tools/bmp2tiff can trigger a heap-based buffer over-read in tif_lzw.c. The impact is documented as denial of service and potentially code execution, and the CVSS vector indicates network exposure with user interaction required.

Vendor: Libtiff
Product: CVE-2017-5563
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-23
Original CVE updated: 2026-05-13
Advisory published: 2017-01-23
Advisory updated: 2026-05-13

Who should care

Security and platform teams running libtiff 4.0.7, especially if they use bmp2tiff or any image-processing workflow that accepts untrusted BMP files. Distribution maintainers and application owners that bundle libtiff should also review their dependency status.

Technical summary

NVD classifies the issue as CWE-125 (Out-of-bounds Read). The affected CPE entry names libtiff 4.0.7. The vulnerability is described as a heap-based buffer over-read in tif_lzw.c that is reachable through crafted BMP input sent to tools/bmp2tiff. The published CVSS 3.0 vector is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, reflecting that exploitation requires user interaction but can have severe impact if triggered.

Defensive priority

High. The combination of a high CVSS score, potential code execution impact, and exposure through user-supplied image content makes this worth prompt patching or dependency replacement in any environment that processes BMP files with libtiff.

Recommended defensive actions

Verify whether any systems, containers, or products use libtiff 4.0.7.
Prioritize updating or replacing affected libtiff deployments in image-processing paths.
Audit for use of tools/bmp2tiff or similar conversion workflows that accept untrusted BMP files.
Apply vendor or distribution guidance from the linked advisories (for example, Gentoo and Ubuntu references) where applicable.
Treat untrusted image input as hostile and limit where conversion utilities can be invoked.

Evidence notes

The core facts come from the NVD record and its referenced advisories. NVD lists libtiff 4.0.7 as the vulnerable CPE, classifies the weakness as CWE-125, and provides the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The description states that a crafted BMP image can trigger a heap-based buffer over-read in tif_lzw.c via tools/bmp2tiff, with outcomes including DoS or code execution. Reference links include the upstream issue tracker, a SecurityFocus advisory entry, and Gentoo/Ubuntu security notices.

Official resources

CVE-2017-5563 CVE record
CVE.org
CVE-2017-5563 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Issue Tracking
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected]

Publicly disclosed on 2017-01-23. The supplied NVD record was last modified on 2026-05-13; that modification date is not the vulnerability date.