CVE-2006-3459

libtiff < 3.8.2 - Stack-Based Buffer Overflow via Large tdir_count in TIFFFetchShortPair

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 8 public exploits for CVE-2006-3459. PoCs published by Metasploit, hdm, kf, including Metasploit module exploits/apple_ios/browser/safari_libtiff.

AI-analyzed exploit summary This exploit targets a buffer overflow in libtiff on iPhone firmware versions 1.00, 1.01, 1.02, and 1.1.1. It crafts a malicious TIFF file embedded in an email to achieve remote code execution via a heap-based overflow.

Description

Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2, as used in Adobe Reader 9.3.0 and other products, allow context-dependent attackers to execute arbitrary code or cause a denial of service via unspecified vectors, including a large tdir_count value in the TIFFFetchShortPair function in tif_dirread.c.

Exploits (8)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotehardware
https://www.exploit-db.com/exploits/16869

This exploit targets a buffer overflow in libtiff on iPhone firmware versions 1.00, 1.01, 1.02, and 1.1.1. It crafts a malicious TIFF file embedded in an email to achieve remote code execution via a heap-based overflow.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apple iPhone libtiff (firmware 1.00, 1.01, 1.02, 1.1.1)
No auth needed
Prerequisites: Target iPhone with vulnerable firmware · SMTP access to deliver malicious email
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotehardware
https://www.exploit-db.com/exploits/16868

This exploit targets a buffer overflow in LibTIFF on iPhone MobileSafari (firmware 1.00-1.1.1) via a maliciously crafted TIFF image. It leverages heap manipulation and shellcode execution to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Apple iPhone MobileSafari with LibTIFF (firmware 1.00, 1.01, 1.02, 1.1.1)
No auth needed
Prerequisites: Target must visit a malicious webpage hosting the exploit TIFF image
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotehardware
https://www.exploit-db.com/exploits/16862

This exploit targets a buffer overflow in libtiff on iPhone firmware versions 1.00, 1.01, 1.02, and 1.1.1 via a maliciously crafted TIFF image. It leverages heap manipulation and shellcode injection to achieve remote code execution on MobileSafari.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apple iPhone MobileSafari with libtiff (firmware 1.00, 1.01, 1.02, 1.1.1)
No auth needed
Prerequisites: Target must visit a malicious webpage hosting the exploit · Target must be using a vulnerable iPhone firmware version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
pythonlocalwindows
https://www.exploit-db.com/exploits/11787

This exploit generates a malicious PDF file that leverages an integer overflow vulnerability in Adobe Acrobat Reader's LibTiff library to achieve remote code execution. The exploit crafts a TIFF image embedded in a PDF, which triggers the vulnerability when parsed, leading to arbitrary code execution via shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Acrobat Reader <=8.3.0, <=9.3.0
No auth needed
Prerequisites: Victim must open the malicious PDF file
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
rubyremoteios
https://www.exploit-db.com/exploits/21868

This Metasploit module exploits a buffer overflow in libtiff (CVE-2006-3459) affecting Apple iOS MobileSafari on firmware versions 1.00, 1.01, 1.02, and 1.1.1. It crafts a malicious TIFF file to trigger remote code execution via a heap-based overflow.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apple iOS MobileSafari (libtiff) on firmware versions 1.00, 1.01, 1.02, 1.1.1
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit TIFF file
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
rubyremoteios
https://www.exploit-db.com/exploits/21869

This Metasploit module exploits a buffer overflow in libtiff on Apple iOS MobileMail (firmware versions 1.00, 1.01, 1.02, 1.1.1) via a maliciously crafted TIFF file sent as an email attachment. The exploit leverages heap manipulation and shellcode execution to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Apple iOS MobileMail (libtiff) versions 1.00, 1.01, 1.02, 1.1.1
No auth needed
Prerequisites: Target device must be running vulnerable iOS firmware · Target must open the malicious email attachment
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GOOD
by hdm, kf · rubypocosx
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/apple_ios/browser/safari_libtiff.rb

This Metasploit module exploits a buffer overflow in libtiff on iOS MobileSafari (CVE-2006-3459) by crafting a malicious TIFF file. It targets iPhone firmware versions 1.00-1.1.1 and delivers an ARMLE payload via HTTP.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: Apple iOS MobileSafari (libtiff) on iPhone firmware 1.00, 1.01, 1.02, 1.1.1
No auth needed
Prerequisites: Target device must visit attacker-controlled HTTP server · Vulnerable iOS version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by hdm, kf · rubypocosx
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/apple_ios/email/mobilemail_libtiff.rb

This Metasploit module exploits a buffer overflow in Apple iOS MobileMail's LibTIFF (CVE-2006-3459) by sending a maliciously crafted TIFF file via email. It targets iPhone firmware versions 1.00, 1.01, 1.02, and 1.1.1, leveraging heap manipulation and shellcode execution for remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: Apple iOS MobileMail (LibTIFF) on iPhone firmware 1.00, 1.01, 1.02, 1.1.1
No auth needed
Prerequisites: Target iPhone with vulnerable firmware · SMTP access to deliver malicious email
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (47)

Core 47
Core References
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2006//Aug/msg00000.html
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/3486
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21501
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21537
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21632
Third Party Advisory vendor-advisory x_refsource_gentoo
http://www.gentoo.org/security/en/glsa/glsa-200608-07.xml
Issue Tracking x_refsource_confirm
https://issues.rpath.com/browse/RPL-558
Vendor Advisory vendor-advisory x_refsource_sgi
ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2006:136
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21338
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-330-1
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/3101
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016628
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21253
Patch, Vendor Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2006/dsa-1137
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21370
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016671
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21598
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2006-0648.html
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2006:137
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/19289
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/27222
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/4034
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA06-214A.html
Vendor Advisory vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2006_44_libtiff.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21290
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11497
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21274
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/3105
Vendor Advisory x_refsource_misc
http://secunia.com/blog/76
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/27181
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2006-0603.html
Vendor Advisory vendor-advisory x_refsource_sgi
ftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.asc
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21304
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/19283
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/27832
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21346
Vendor Advisory vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-66-201331-1
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21319
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21392
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21334
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22036
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/27723
Various Sources vendor-advisory x_refsource_trustix
http://lwn.net/Alerts/194228/
Vendor Advisory vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103160-1

Scores

EPSS 0.6870
EPSS Percentile 98.6%

Details

CWE
CWE-119
Status published
Products (17)
libtiff/libtiff 3.4 (11 CPE variants)
libtiff/libtiff 3.5.1
libtiff/libtiff 3.5.2
libtiff/libtiff 3.5.3
libtiff/libtiff 3.5.4
libtiff/libtiff 3.5.5
libtiff/libtiff 3.5.6 (2 CPE variants)
libtiff/libtiff 3.5.7 (6 CPE variants)
libtiff/libtiff 3.6.0 (3 CPE variants)
libtiff/libtiff 3.6.1
... and 7 more
Published Aug 03, 2006
Tracked Since Feb 18, 2026