PatchSiren cyber security CVE debrief

CVE-2016-5316 Opensuse CVE debrief

CVE-2016-5316 is a denial-of-service flaw in libtiff’s PixarLogCleanup handling. A crafted TIFF image can trigger an out-of-bounds read and crash the rgb2ycbcr tool. The issue was publicly disclosed in January 2017, and the supplied record shows later NVD metadata updates in 2026; the underlying vulnerability remains the same legacy libtiff issue. No KEV listing was provided in the source corpus.

Vendor: Opensuse
Product: CVE-2016-5316
CVSS: MEDIUM 6.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-20
Original CVE updated: 2026-05-13
Advisory published: 2017-01-20
Advisory updated: 2026-05-13

Who should care

Security teams that still ship or embed libtiff 4.0.6 or earlier, especially desktop, imaging, document-processing, and Linux distribution maintainers. Operators who expose TIFF conversion or preview workflows should treat this as a crash-risk issue, not a confidentiality or integrity break.

Technical summary

NVD classifies the weakness as CWE-125 (out-of-bounds read) with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The vulnerable code path is PixarLogCleanup in tif_pixarlog.c. According to the record, remote attackers can supply a crafted TIFF image that causes rgb2ycbcr to crash. The supplied CPEs mark libtiff through 4.0.6 as affected, and also identify affected openSUSE product entries.

Defensive priority

Medium. This is a remotely triggerable availability issue that may be relevant where TIFF files are accepted from untrusted sources, but the supplied data does not indicate code execution, data exposure, or active exploitation.

Recommended defensive actions

Inventory systems and applications that use libtiff, including bundled copies inside larger products.
Prioritize upgrading libtiff to a version newer than 4.0.6 where the issue is fixed.
Treat untrusted TIFF uploads, previews, and conversion jobs as crash-prone until patched.
If immediate upgrading is not possible, reduce exposure by restricting TIFF processing to trusted inputs and isolated service accounts.
Validate distro vendor advisories and package updates for any embedded libtiff copies, including openSUSE, Debian, and Gentoo references in the record.

Evidence notes

The vulnerability description in the supplied corpus states: out-of-bounds read in PixarLogCleanup in tif_pixarlog.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application by sending a crafted TIFF image to the rgb2ycbcr tool. NVD lists CWE-125 and a CVSS v3 vector of AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The record’s reference set includes official and third-party advisories from openSUSE, Debian, Gentoo, and the oss-security mailing list.

Official resources

CVE-2016-5316 CVE record
CVE.org
CVE-2016-5316 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected]
Source reference
[email protected]

Publicly disclosed in 2017-01-20 per the supplied CVE and source timestamps; the source record was later modified on 2026-05-13. No KEV entry was provided.