CVE-2026-12912 Overview
A heap-based buffer overflow exists in libtiff when decoding PixarLog-compressed TIFF images. The flaw is triggered when the codec processes images with the PIXARLOGDATAFMT_8BITABGR output format combined with a specific stride value. An attacker who supplies a crafted TIFF file to a vulnerable application can corrupt heap memory, resulting in arbitrary code execution or denial of service. The weakness is classified as [CWE-122] Heap-based Buffer Overflow. Exploitation requires local access with low privileges and user interaction, such as opening the malicious file in an application linked against libtiff.
Critical Impact
A crafted PixarLog TIFF image can overflow the heap during decode and lead to arbitrary code execution in any process using vulnerable libtiff builds.
Affected Products
- libtiff — versions containing the vulnerable PixarLog decoder path
- Red Hat Enterprise Linux distributions shipping the affected libtiff package (see RHSA-2026:34890)
- Downstream applications and libraries that link against or bundle vulnerable libtiff builds
Discovery Timeline
- 2026-06-29 - CVE-2026-12912 published to the National Vulnerability Database
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-12912
Vulnerability Analysis
The vulnerability resides in the PixarLog codec implementation within libtiff. When a caller requests the PIXARLOGDATAFMT_8BITABGR output format, the decoder computes buffer sizing based on image dimensions and the caller-supplied stride. Under a specific stride value, the size calculation does not match the number of bytes the decoder subsequently writes into the heap-allocated output buffer. The mismatch causes the decoder to write past the end of the allocated region.
Because the overflow occurs on the heap during image decode, an attacker who controls the TIFF file content controls both the trigger and, to a meaningful degree, the data written out-of-bounds. This enables corruption of adjacent heap metadata or application objects, which is the standard primitive used to pivot toward arbitrary code execution. Applications that automatically render TIFF thumbnails or open images without prompting expand the attack surface even though user interaction is nominally required.
Root Cause
The root cause is an incorrect boundary calculation in the PixarLog decode path. The output buffer is sized for the requested format and stride but the decoder writes ABGR pixel data that exceeds the computed bounds when the stride value is not properly validated against the format's per-pixel byte width.
Attack Vector
An attacker delivers a specially crafted PixarLog-compressed TIFF image to a target user. The user opens the image in an application that uses libtiff with the PIXARLOGDATAFMT_8BITABGR decode path and the triggering stride value. Decoding the image writes attacker-controlled bytes past the heap allocation, corrupting adjacent memory and enabling code execution or process crash.
The vulnerability manifests inside the PixarLog decoder when the ABGR output format is selected. See the GitLab Merge Request #873 and GitLab Work Item #824 for the upstream fix and technical discussion.
Detection Methods for CVE-2026-12912
Indicators of Compromise
- Unexpected crashes or SIGSEGV signals in processes that decode TIFF images (image viewers, thumbnailers, PDF processors, print spoolers)
- TIFF files on disk or in mail/web traffic advertising PixarLog compression (TIFF tag Compression=32908) originating from untrusted sources
- Child processes or shell invocations spawned by image-handling applications shortly after opening a TIFF file
- Heap corruption traces in core dumps referencing PixarLogDecode or related symbols in libtiff
Detection Strategies
- Inspect TIFF files at gateways and mail filters for PixarLog compression combined with unusual stride or ABGR output requests
- Enable AddressSanitizer or heap-hardening telemetry in test environments to surface out-of-bounds writes during decode
- Correlate application crash events with recently opened image files to identify targeted delivery attempts
- Deploy EDR behavioral rules that flag image-handling processes spawning shells, network connections, or persistence primitives
Monitoring Recommendations
- Monitor package inventory to confirm all hosts run patched libtiff builds referenced in Red Hat Security Errata RHSA-2026:34890
- Track TIFF file ingestion in document processing pipelines and log MIME type, source, and originating user
- Alert on repeated crashes of the same image-handling binary across multiple endpoints within a short window
How to Mitigate CVE-2026-12912
Immediate Actions Required
- Apply vendor-supplied libtiff updates on all Linux hosts, container base images, and build pipelines
- Rebuild and redeploy applications that statically link libtiff against the patched library
- Audit third-party software and appliances for bundled vulnerable libtiff copies and request updated builds from vendors
- Restrict TIFF handling by untrusted users where patching is not immediately possible
Patch Information
Red Hat published fixed packages via RHSA-2026:34890 and tracks the issue under Red Hat CVE Details CVE-2026-12912 with additional context in Red Hat Bug Report #2492871. The upstream fix is available in GitLab Merge Request #873. Consumers of automated feeds can ingest the Red Hat VEX Document for CVE-2026-12912 to track applicability.
Workarounds
- Block or strip PixarLog-compressed TIFF files at mail and web gateways until patching is complete
- Disable automatic TIFF thumbnail generation and preview in file managers on multi-user systems
- Run image conversion and document processing workloads in sandboxed or containerized environments with seccomp restrictions to limit post-exploitation options
# Configuration example — verify and update libtiff on RHEL-family systems
rpm -q libtiff
sudo dnf update --refresh libtiff libtiff-tools
rpm -q --changelog libtiff | head -n 20 # confirm CVE-2026-12912 fix is present
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

