PatchSiren cyber security CVE debrief

CVE-2026-4775 Redhat CVE debrief

CVE-2026-4775 is a libtiff flaw involving a signed integer overflow in putcontig8bitYCbCr44tile. When triggered by a specially crafted TIFF file, the bad calculation can produce an out-of-bounds heap write, which may crash the application or create a path to code execution. The supplied NVD data also ties the issue to Red Hat and Debian advisory references and lists multiple affected platform CPEs.

Vendor: Redhat
Product: CVE-2026-4775
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-03-24
Original CVE updated: 2026-05-11
Advisory published: 2026-03-24
Advisory updated: 2026-05-11

Who should care

Teams that process or render TIFF images should pay attention: desktop users, application owners, image-ingestion pipelines, document-management systems, thumbnailing services, and administrators of systems that package or embed libtiff. The NVD record lists libtiff itself plus Red Hat Enterprise Linux 6-10, Debian 11, and Red Hat hardened images among affected CPEs.

Technical summary

The vulnerability is described as a signed integer overflow in libtiff's putcontig8bitYCbCr44tile function. That overflow can cause incorrect pointer arithmetic and an out-of-bounds heap write while parsing a crafted TIFF image. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating successful exploitation depends on user interaction even though the attack is delivered through malicious image content. The issue is mapped to CWE-190 in the supplied source metadata.

Defensive priority

High. The impact profile includes potential arbitrary code execution, and the affected component is a widely used image library that may be present in many products and operating systems. Prioritize patching systems that accept untrusted TIFF files or that expose TIFF processing in automated workflows.

Recommended defensive actions

Apply the relevant Red Hat and Debian security updates referenced in the NVD record for all affected systems.
Inventory applications, services, and appliances that link against libtiff or process TIFF uploads, previews, thumbnails, or conversions.
Restrict or sandbox processing of untrusted TIFF content until patched, especially in automated ingestion pipelines.
Verify patch status across affected platforms listed in the source data, including Red Hat Enterprise Linux 6-10, Debian 11, and hardened images.
Monitor for crashes or memory-corruption symptoms in image-handling components and treat unexplained failures as a priority until remediation is confirmed.

Evidence notes

The supplied source corpus describes a signed integer overflow in libtiff's putcontig8bitYCbCr44tile function that can lead to an out-of-bounds heap write. NVD metadata lists libtiff and several Red Hat/Debian platform CPEs as vulnerable, and the Red Hat-sourced CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The corpus also shows the CVE was published on 2026-03-24 and modified on 2026-05-11. No Known Exploited Vulnerabilities entry is included in the supplied data.

Official resources

CVE-2026-4775 CVE record
CVE.org
CVE-2026-4775 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Third Party Advisory
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory

CVE-2026-4775 was published on 2026-03-24 and last modified on 2026-05-11 in the supplied records. No KEV listing is present in the supplied corpus.