Описание
A null pointer dereference flaw was found in Libtiff via tif_dirinfo.c. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.
Отчет
The null pointer dereference flaw in Libtiff via tif_dirinfo.c is classified as a moderate severity issue rather than a higher severity one because, while it can cause an application crash leading to denial of service, it does not directly compromise the confidentiality, integrity, or availability of data beyond causing downtime. The impact is localized to application stability rather than enabling remote code execution, privilege escalation, or unauthorized data access. Furthermore, exploiting this flaw requires conditions such as inducing memory allocation failures or manipulating the heap, which limits the attack surface and reduces the likelihood of successful exploitation in typical deployment environments. Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-476: NULL Pointer Dereference vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. The platform incorporates secure engineering principles and controls to enforce secure coding practices, including proper memory handling and error checking, reducing the likelihood of null pointer dereference vulnerabilities. Coding standards, tools, and processes support early detection and prevention of memory-related flaws. Static code analysis identifies null dereference and related issues during development, while system monitoring detects memory errors and anomalous behavior in the event of exploitation. Additionally, the platform leverages memory protection mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) to strengthen resilience against memory-related vulnerabilities.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | libtiff | Not affected | ||
| Red Hat Enterprise Linux 6 | libtiff | Out of support scope | ||
| Red Hat Enterprise Linux 7 | libtiff | Out of support scope | ||
| Red Hat Enterprise Linux 8 | libtiff | Fixed | RHSA-2024:8833 | 05.11.2024 |
| Red Hat Enterprise Linux 9 | libtiff | Fixed | RHSA-2024:8914 | 05.11.2024 |
| Red Hat Enterprise Linux 9.2 Extended Update Support | libtiff | Fixed | RHSA-2024:6360 | 04.09.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.
A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.
A null pointer dereference flaw was found in Libtiff via `tif_dirinfo. ...
EPSS
7.5 High
CVSS3