One Crafted TIFF File to Heap RCE: CVE-2026-4775 in libtiff

A single TIFF file — the same format your document scanners, medical imaging systems, and geospatial pipelines quietly trust every day — is all it takes to trigger a heap write primitive and potentially execute arbitrary code on the underlying host. ⚠️ CVE-2026-4775 is a signed integer overflow buried deep inside libtiff’s YCbCr tile processing routine, rated CVSS 7.8 HIGH, and it doesn’t require authentication, user interaction beyond opening a file, or any elevated privilege on the attacker’s side. If your organisation processes untrusted images — and statistically, almost every enterprise does — this vulnerability lands squarely on your attack surface right now.

What Is CVE-2026-4775?

libtiff is the de-facto C library for reading and writing TIFF (Tagged Image File Format) images. It underpins image handling in everything from LibreOffice and ImageMagick to GDAL, Pillow (Python), PHP’s GD extension, and dozens of medical and satellite imaging tools. The vulnerability lives inside putcontig8bitYCbCr44tile(), a function responsible for converting 4:4 chroma-subsampled YCbCr tile data into a contiguous output buffer.

The root cause is a signed integer overflow during memory pointer arithmetic. When the function calculates the destination offset into the output heap buffer, it performs arithmetic using signed 32-bit integers. A specially crafted TIFF file with malformed tile dimensions or chroma subsampling metadata can cause this calculation to wrap around to a negative value or an unexpectedly small positive value — both of which then feed directly into a write operation, landing data outside the intended buffer boundary. That’s a classic out-of-bounds heap write, and depending on heap layout at the time of exploitation, it can be weaponised for denial of service (crash) or, more critically, for arbitrary code execution.

The severity here isn’t just theoretical. Heap write primitives with attacker-controlled offset and data are among the most actionable bug classes in memory-unsafe C code. Anyone who has tracked libtiff’s history — CVE-2023-0795, CVE-2022-3970, the 2016 heap overflows that prompted mandatory libtiff audits — knows this library has a pattern of exactly this class of vulnerability surviving across major versions.

How the Attack Works 🔧

The exploitation path follows a well-understood template for image-parsing vulnerabilities, which is precisely why this one deserves respect rather than dismissal:

Craft the payload: An attacker constructs a TIFF file with a deliberately malformed YCbCr tile — tweaking the TileWidth, TileLength, or YCbCrSubSampling TIFF tags to produce integer overflow conditions inside putcontig8bitYCbCr44tile().
Deliver the file: The file reaches the target via email attachment, web upload form, API endpoint accepting image input, document conversion pipeline, or even a shared network drive. No exploit kit, no C2 infrastructure needed at delivery stage.
Trigger the parse: Any application that calls TIFFReadRGBAImage(), TIFFReadScanline(), or similar libtiff APIs against the crafted file will hit the vulnerable code path during tile decoding.
Heap corruption fires: The overflow writes attacker-influenced data beyond the buffer boundary. Depending on the process heap layout, this may overwrite adjacent heap metadata, function pointers, or vtable entries.
Outcome: Best case for the attacker is RCE in the context of the parsing process. Worst case (from their perspective) is a clean crash — still a usable DoS against availability-sensitive pipelines.

In enterprise environments, the most dangerous deployment pattern I’ve seen is server-side image processing pipelines that silently consume user-submitted files. A thumbnail generator, a document ingestion service, a satellite image pre-processor — these are often running as persistent daemons with broad filesystem access, and they’re exactly the kind of process that never shows up in a threat model until something burns down.

Who’s Affected?

The blast radius of a libtiff vulnerability is wider than most people expect because the library is rarely a direct dependency — it’s a transitive one. You may not have installed libtiff, but it’s very likely running in your environment. Consider these common vectors:

ImageMagick / GraphicsMagick — used for image conversion in CMS platforms, media pipelines, and CI/CD asset processing.
GDAL / PROJ — the geospatial stack used in GIS platforms, satellite imagery tools, and mapping APIs.
LibreOffice / OpenOffice — desktop office suites that render embedded TIFF images in documents.
PHP GD / Imagick extensions — web applications accepting image uploads.
Python Pillow — used extensively in data science and ML preprocessing pipelines that handle user-provided images.
Medical and scientific imaging software — TIFF is a dominant format in radiology (DICOM adjacent), microscopy, and remote sensing, where parsing untrusted files is routine.
Print and document management systems — many enterprise MFP (multi-function printer) backends parse TIFF files server-side.

If your environment uses any of these, and if any of them process TIFF files sourced from outside a fully trusted boundary, you should treat this as an active exposure until patched or mitigated.

MITRE ATT&CK Mapping

CVE-2026-4775 maps cleanly to several ATT&CK techniques depending on how the exploitation chain unfolds:

T1203 — Exploitation for Client Execution: The primary technique. A crafted TIFF delivered to a client-side application (document viewer, image editor) exploits a vulnerability in the software to achieve execution.
T1190 — Exploit Public-Facing Application: Applicable when the vulnerable libtiff consumer is a web application or API endpoint that processes user-uploaded images.
T1499.004 — Endpoint Denial of Service via Application Exhaustion: The crash (DoS) outcome maps here — especially relevant for availability-sensitive pipelines.
T1059 — Command and Scripting Interpreter: Post-exploitation, once code execution is achieved within the parsing process context.

How to Defend with Wazuh 🛡️

Detection here spans three layers: package inventory (do you have a vulnerable libtiff?), file activity monitoring (is a process crashing or writing anomalously?), and log-based alerting (are upstream image-processing services throwing errors consistent with malformed input?).

Start with Wazuh’s SCA (Security Configuration Assessment) or a simple package check to surface vulnerable libtiff versions across your fleet. Then layer a custom rule to catch application crashes in image-processing services — SIGSEGV or SIGABRT from a service like ImageMagick or a PHP-FPM worker is a strong indicator of exploitation attempt.






  
  
    syslog
    convert|tiff2pdf|tiff2ps|php-fpm|ImageMagick|python.*PIL|gdal
    segfault|SIGSEGV|SIGABRT|core dumped|heap corruption
    Possible libtiff exploit: Image-processing binary crashed with memory fault (CVE-2026-4775)
    
      T1203
      T1190
    
    exploit_attempt,memory_corruption,libtiff,
  

  
  
    100501
    Repeated image-processing crashes detected — possible DoS or active exploitation of CVE-2026-4775
    
      T1499.004
    
    dos,exploit_attempt,libtiff,
  

  
  
    syslog
    libtiff|TIFFRead|putcontig8bit|YCbCr
    Error|invalid|overflow|out of bounds|bad value
    libtiff reported a parsing error — investigate for malformed TIFF input (CVE-2026-4775)
    
      T1203
    
    libtiff,parsing_error,
  







  /var/www/uploads
  /opt/imageprocessing/input

In our enterprise deployments, we pair the crash-detection rules above with a Wazuh active response script that quarantines the uploaded file and kills the offending process before it can be restarted with the same malicious input. If you’re running a public-facing image upload endpoint, that kind of automated containment is worth the few minutes it takes to configure.

Additionally, use Wazuh’s Vulnerability Detector module to passively identify hosts running unpatched libtiff. Enable the NVD feed and ensure your agent inventory is collecting package lists — CVE-2026-4775 will surface automatically once the NVD entry propagates to the feeds.

What to Do Right Now

🔧 Patch libtiff immediately on all hosts where it’s installed — check your distro’s advisory (RHEL, Debian, Ubuntu, Alpine) for the patched package version and prioritise servers running image-processing workloads.
🔧 Audit transitive dependencies — run ldd $(which convert), pip show pillow, or your language-specific dependency graph tools to discover whether your applications link against a vulnerable libtiff version. Container images need the same audit.
🛡️ Restrict TIFF input at the perimeter — if your application doesn’t legitimately need to accept TIFF files from untrusted sources, block the MIME type (image/tiff) at your WAF or API gateway as an interim control while patching progresses.
🛡️ Sandbox image-processing workers — run thumbnail generators and document conversion services in containers or VMs with no network egress and minimal filesystem access. A heap RCE in a sandboxed process is a containment event, not a breach.
📊 Deploy the Wazuh rules above and alert on crash signals from image-processing binaries — treat any SIGSEGV from these services as a potential exploitation attempt pending investigation.
📊 Review web application logs for unusual TIFF uploads — large numbers of failed parse attempts, files with anomalous TileWidth/TileLength values, or repeated crashes in your image pipeline are all indicators of active probing or exploitation.

The broader lesson here is one I keep repeating in post-mortems: image parsing is a massive, underappreciated attack surface. Every pixel decoder, tile renderer, and colour space converter is a parser written in C running against untrusted input. libtiff has been around since 1988, and in that time it has accumulated exactly the kind of legacy code complexity where signed/unsigned arithmetic bugs hide for years. CVE-2026-4775 is a reminder that “we only accept images” is not a security posture — it’s an invitation. Pair your patch cadence with proper sandboxing, input validation at the format level, and runtime crash monitoring, and you’ll be ahead of the curve when the next image-parsing CVE drops. Believe me, it will.

For related deep-dives on exploiting parsing pipelines, check out One LaTeX Snippet to RCE: CVE-2026-33046 in Indico — the same class of “trust the file format” mistake plays out in a completely different context. And if you’re thinking about how AI-powered exploitation is shortening the patch window, AI Finds Exploits Faster Than You Can Patch Them is essential reading for your threat model.

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-4775

Securtr