Heap-based Buffer Overflow in libtiff via PixarLog Image Decoding

Executive Summary

This vulnerability is a heap-based buffer overflow in the libtiff library, specifically in the PixarLog codec when decoding TIFF images compressed with PixarLog and using the PIXARLOGDATAFMT_8BITABGR output format with a stride of 3.

The issue arises because the decoder writes 4 bytes for every 3 decoded samples (adding a synthetic alpha byte) but only advances the output pointer by 3 bytes. This mismatch causes a linear heap buffer overflow approximately equal to the image width per scan line.

The overflow occurs on a user-allocated buffer, and the TIFFScanlineSize function returns an incorrect size, which exacerbates the problem. This flaw can lead to memory corruption.

Exploitation of this vulnerability can allow a remote attacker to cause arbitrary code execution or a denial of service (DoS) by providing a specially crafted PixarLog-compressed TIFF image.

Useful 0 Not Useful 0

Impact Analysis

If you use libtiff to process PixarLog-compressed TIFF images with the PIXARLOGDATAFMT_8BITABGR format, this vulnerability can be exploited by a remote attacker who supplies a specially crafted image.

The attacker could trigger a heap-based buffer overflow, which may lead to arbitrary code execution, allowing them to run malicious code on your system.

Alternatively, the vulnerability could cause a denial of service (DoS) by crashing the application processing the image.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying if your system or application uses libtiff to decode PixarLog-compressed TIFF images with the PIXARLOGDATAFMT_8BITABGR output format and a stride of 3. Detection involves checking for the presence of vulnerable libtiff versions and monitoring for attempts to process specially crafted TIFF images that exploit this flaw.

You can use commands to check the libtiff version installed on your system, for example:

• On Linux, run: `tiffinfo --version` or `tiffdump --version` to check the libtiff version.
• Use file scanning tools or antivirus solutions to detect suspicious TIFF files that might be crafted to exploit this vulnerability.

Additionally, if you have access to source code or binaries, you can verify if the fix from merge request !873 (merged April 23, 2026) is applied, which addresses the buffer overflow in the PixarLog decoder.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating libtiff to a version that contains the fix for CVE-2026-12912. The fix was merged on April 23, 2026, and corrects the buffer overflow by adjusting the output pointer advancement in the PixarLogDecode function.

If updating is not immediately possible, consider:

• Avoid processing PixarLog-compressed TIFF images with the PIXARLOGDATAFMT_8BITABGR output format and a stride of 3.
• Implement input validation or filtering to block suspicious or untrusted TIFF files that could exploit this vulnerability.
• Monitor systems for unusual crashes or behavior related to TIFF image processing that could indicate exploitation attempts.

Useful 0 Not Useful 0