CVE-2026-46599: TIFF PackBits Decoder Denial of Service Vulnerability
CVE-2026-46599 is a denial-of-service vulnerability in TIFF image decoders that affects how they handle PackBits-compressed image data. An attacker can craft a specially-designed image file that appears small on disk but, when decoded, forces the decoder to expand and process far larger amounts of data than expected. This resource exhaustion can crash applications or services that attempt to process the malicious image, making it a practical availability threat in environments that automatically process untrusted images.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-770
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from missing input validation in TIFF decoder implementations that process PackBits-compressed segments. PackBits is a simple run-length encoding scheme; without decompression limits, a small number of compressed bytes can expand to arbitrarily large output. An attacker crafts a TIFF file where the image dimensions (width/height) and file size suggest a benign payload, but the PackBits data streams contain compression ratios that cause memory and CPU exhaustion during decompression. The flaw is classified as CWE-770 (Allocation of Resources Without Limits or Throttling), a pattern weakness that enables algorithmic complexity attacks and resource-based denial of service.
Business impact
Organizations relying on automated image processing pipelines—such as document management systems, web thumbnail generators, email attachment handlers, or cloud storage services—face availability risks. A single malicious TIFF uploaded by an attacker could trigger decoder crashes, service hangs, or memory exhaustion on backend servers. For businesses processing user-generated or untrusted content, this translates to potential service interruptions, support overhead, and reputational damage if malicious images cause user-facing outages.
Affected systems
Any application or library that decodes TIFF images using PackBits decompression is potentially affected. This includes image viewers, graphics libraries, document converters, content management systems, and cloud services that handle TIFF uploads. The vulnerability is not tied to specific vendor products in the ground-truth data, indicating either broad cross-vendor impact or that vendor-specific information is pending. Organizations should inventory their use of TIFF decoding—both in first-party code and embedded libraries—to assess exposure.
Exploitability
Exploitability is high and requires only network access; no authentication, user interaction, or privilege escalation is needed (CVSS vector AV:N/AC:L/PR:N/UI:N). An attacker simply uploads or delivers a malicious TIFF file to a target system. The attack surface is particularly wide in environments that accept file uploads, process attachments automatically, or scan content from external sources. Proof-of-concept is straightforward: craft a TIFF with legitimate headers but engineered PackBits data that decompresses to gigabytes of output. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, but that does not diminish the practical risk given the simplicity of weaponization.
Remediation
Immediate mitigation includes implementing decompression limits in TIFF decoder configurations—capping output buffer sizes and absolute decompressed data volumes per image. Rate-limiting or timeout controls on image processing operations can reduce the impact of resource exhaustion. Long-term remediation requires patching underlying TIFF libraries or upgrading to vendor releases that validate PackBits segment sizes and enforce memory boundaries. Organizations should verify patch availability from their image library or application vendor and prioritize deployment based on exposure (e.g., public-facing image services first).
Patch guidance
Consult your TIFF decoder vendor or embedded library provider for patched versions. Since affected products are not specified in CVE details, review your software bill of materials (SBOM) and identify which libraries handle TIFF decoding. Check vendor security advisories or commit histories (e.g., libtiff, ImageMagick, Pillow) for patches addressing PackBits decompression limits. Once patches are available, test in a staging environment to confirm compatibility, then roll out to production according to your deployment schedule. For open-source libraries, monitor GitHub releases and security mailing lists for fixes.
Detection guidance
Monitor for anomalous TIFF file processing: unusually high CPU or memory consumption during image decode operations, unexplained crashes in image processing services, or logs showing decompression timeouts. Implement file-upload validation rules that reject TIFF files with suspicious characteristics—extremely high compression ratios, declared dimensions that don't match file size, or abnormally large decompressed output predictions. Network detection is challenging without deep packet inspection, but endpoint telemetry showing resource spikes correlated with TIFF processing is a useful heuristic. Log and quarantine any uploaded TIFF files that trigger decoder errors or resource limits.
Why prioritize this
A CVSS 7.5 HIGH score reflects the network-exploitable, authentication-free nature of the attack and the severity of denial-of-service impact. Prioritize this vulnerability if your organization processes TIFF images from untrusted sources (user uploads, email, cloud storage, third-party APIs). Less urgent for environments that rarely encounter TIFF files or strictly validate and sanitize input before processing. However, given the ease of exploitation and the potential for service-level impact, this merits prompt investigation and patching in most IT environments.
Risk score, explained
CVSS 3.1 assigns a score of 7.5 (HIGH) based on network accessibility, no authentication requirement, low attack complexity, and high availability impact (A:H). The vulnerability does not compromise confidentiality or integrity, limiting the score from critical to high. The lack of user interaction (UI:N) and uniform scope (S:U) reflect the attacker's ability to trigger the flaw directly. In operational risk assessment, the ease of crafting a weaponized image and the prevalence of TIFF processing in real-world systems justify taking this vulnerability seriously despite it being availability-only.
Frequently asked questions
Can this vulnerability lead to code execution or data theft?
No. CVE-2026-46599 is confined to denial of service and resource exhaustion. It does not allow an attacker to execute code, read sensitive data, or modify files. The impact is limited to crashing or hanging the TIFF decoder and consuming system resources.
Do I need to worry about this if I don't use TIFF images?
Unlikely, unless you use a graphics or document library that internally processes TIFF as an intermediate format. Review your application dependencies and ask your vendors whether TIFF support is enabled by default or required for your use case.
What is PackBits and why is it a problem here?
PackBits is a simple run-length encoding compression method used in TIFF files. The vulnerability arises because the decoder does not limit how much data can be decompressed from a PackBits stream, allowing a small encoded chunk to expand into gigabytes of memory, exhausting resources.
Is this vulnerability being actively exploited?
As of the published date, this vulnerability is not tracked on CISA's Known Exploited Vulnerabilities list. However, the simplicity of crafting a malicious TIFF means exploitation could begin at any time. Organizations should not rely on KEV status alone to prioritize patching.
This analysis is provided for informational purposes and represents the security landscape as of the publication date. The ground-truth data (CVE ID, CVSS score, CWE classification, and KEV status) is sourced from authoritative vulnerability databases and may be updated. Patch availability and vendor-specific guidance are subject to change; always verify against official vendor security advisories before deploying patches. Organizations should conduct their own risk assessment based on their environment, asset inventory, and threat model. SEC.co makes no warranty as to the completeness or accuracy of third-party vendor patch information and recommends direct consultation with vendors and security teams. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-46638HIGHDell BSAFE SSL-J Resource Exhaustion DoS Vulnerability
- CVE-2026-28299HIGHSolarWinds Web Help Desk Denial-of-Service Vulnerability – CVSS 8.2
- CVE-2026-34077HIGHReact Router XSS in RSC Redirect Handling – Patch Guidance
- CVE-2026-44697HIGHKlever-Go Remote Denial-of-Service via Decompression Bomb
- CVE-2026-10533MEDIUMOpenShift ResourceQuota Bypass Leads to API Server DoS
- CVE-2026-36499MEDIUMOpen vSwitch Thread Allocation DoS Vulnerability
- CVE-2026-40898MEDIUMquic-go HTTP/3 Trailer Memory Exhaustion DoS
- CVE-2026-40990MEDIUMSpring Cloud Function OOM Denial-of-Service Vulnerability