CVE-2025-9900 | THREATINT

Description

A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.

PUBLISHED Reserved 2025-09-03 | Published 2025-09-23 | Updated 2026-01-06 | Assigner redhat

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

Write-what-where Condition

Product status

Default status

unaffected

Any version before 4.7.1

affected

Default status

affected

0:4.6.0-6.el10_0.1 (rpm) before *

unaffected

Default status

affected

0:4.6.0-6.el10_1.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-12.el7_9.1 (rpm) before *

unaffected

Default status

affected

0:4.0.3-35.el7_9.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-14.el8_10 (rpm) before *

unaffected

Default status

affected

0:4.0.9-35.el8_10 (rpm) before *

unaffected

Default status

affected

0:4.0.9-3.el8_10 (rpm) before *

unaffected

Default status

affected

0:3.9.4-13.el8_2.1 (rpm) before *

unaffected

Default status

affected

0:4.0.9-17.el8_2.1 (rpm) before *

unaffected

Default status

affected

0:8.10-3.el8_2.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-13.el8_4.1 (rpm) before *

unaffected

Default status

affected

0:4.0.9-18.el8_4.1 (rpm) before *

unaffected

Default status

affected

0:8.10-3.el8_4.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-13.el8_4.1 (rpm) before *

unaffected

Default status

affected

0:4.0.9-18.el8_4.1 (rpm) before *

unaffected

Default status

affected

0:8.10-3.el8_4.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-13.el8_6.1 (rpm) before *

unaffected

Default status

affected

0:4.0.9-21.el8_6.1 (rpm) before *

unaffected

Default status

affected

0:8.10-3.el8_6.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-13.el8_6.1 (rpm) before *

unaffected

Default status

affected

0:4.0.9-21.el8_6.1 (rpm) before *

unaffected

Default status

affected

0:8.10-3.el8_6.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-13.el8_6.1 (rpm) before *

unaffected

Default status

affected

0:4.0.9-21.el8_6.1 (rpm) before *

unaffected

Default status

affected

0:8.10-3.el8_6.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-13.el8_8.1 (rpm) before *

unaffected

Default status

affected

0:4.0.9-29.el8_8.1 (rpm) before *

unaffected

Default status

affected

0:8.10-3.el8_8.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-13.el8_8.1 (rpm) before *

unaffected

Default status

affected

0:4.0.9-29.el8_8.1 (rpm) before *

unaffected

Default status

affected

0:8.10-3.el8_8.1 (rpm) before *

unaffected

Default status

affected

0:4.4.0-13.el9_6.2 (rpm) before *

unaffected

Default status

affected

0:4.4.0-15.el9_7.2 (rpm) before *

unaffected

Default status

affected

0:4.2.0-3.el9_0.2 (rpm) before *

unaffected

Default status

affected

0:4.4.0-8.el9_2.4 (rpm) before *

unaffected

Default status

affected

0:4.4.0-12.el9_4.4 (rpm) before *

unaffected

Default status

affected

sha256:ec961e5acfde5c1ad0a7e0e2c86a0bf56b9bc46357fa124f9db6dff1006076ab (rpm) before *

unaffected

Default status

affected

sha256:7856bdb7ae0d643a7b9362c164d4d4fe3c0c7186f5fff73a7ae9835b3df52e57 (rpm) before *

unaffected

Default status

affected

sha256:14e32e88f1b89f59ed34a6d712746b82a6a54c6ed4727784f18aeff853abbdc7 (rpm) before *

unaffected

Default status

affected

sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740 (rpm) before *

unaffected

Default status

unknown

Timeline

2025-09-03:	Reported to Red Hat.
2025-09-22:	Made public.

Credits

Red Hat would like to thank Gareth C (AnchorSec Ltd.) for reporting this issue.

References

github.com/...Tiff-4.7.0-Write-What-Where?tab=readme-ov-file exploit

lists.debian.org/debian-lts-announce/2025/09/msg00031.html

www.openwall.com/lists/oss-security/2025/09/26/3

access.redhat.com/errata/RHSA-2025:17651 (RHSA-2025:17651) vendor-advisory

access.redhat.com/errata/RHSA-2025:17675 (RHSA-2025:17675) vendor-advisory

access.redhat.com/errata/RHSA-2025:17710 (RHSA-2025:17710) vendor-advisory

access.redhat.com/errata/RHSA-2025:17738 (RHSA-2025:17738) vendor-advisory

access.redhat.com/errata/RHSA-2025:17739 (RHSA-2025:17739) vendor-advisory

access.redhat.com/errata/RHSA-2025:17740 (RHSA-2025:17740) vendor-advisory

access.redhat.com/errata/RHSA-2025:19113 (RHSA-2025:19113) vendor-advisory

access.redhat.com/errata/RHSA-2025:19156 (RHSA-2025:19156) vendor-advisory

access.redhat.com/errata/RHSA-2025:19276 (RHSA-2025:19276) vendor-advisory

access.redhat.com/errata/RHSA-2025:19906 (RHSA-2025:19906) vendor-advisory

access.redhat.com/errata/RHSA-2025:19947 (RHSA-2025:19947) vendor-advisory

access.redhat.com/errata/RHSA-2025:20956 (RHSA-2025:20956) vendor-advisory

access.redhat.com/errata/RHSA-2025:20998 (RHSA-2025:20998) vendor-advisory

access.redhat.com/errata/RHSA-2025:21060 (RHSA-2025:21060) vendor-advisory

access.redhat.com/errata/RHSA-2025:21061 (RHSA-2025:21061) vendor-advisory

access.redhat.com/errata/RHSA-2025:21062 (RHSA-2025:21062) vendor-advisory

access.redhat.com/errata/RHSA-2025:21407 (RHSA-2025:21407) vendor-advisory

access.redhat.com/errata/RHSA-2025:21506 (RHSA-2025:21506) vendor-advisory

access.redhat.com/errata/RHSA-2025:21507 (RHSA-2025:21507) vendor-advisory

access.redhat.com/errata/RHSA-2025:21508 (RHSA-2025:21508) vendor-advisory

access.redhat.com/errata/RHSA-2025:21994 (RHSA-2025:21994) vendor-advisory

access.redhat.com/errata/RHSA-2025:23078 (RHSA-2025:23078) vendor-advisory

access.redhat.com/errata/RHSA-2025:23079 (RHSA-2025:23079) vendor-advisory

access.redhat.com/errata/RHSA-2025:23080 (RHSA-2025:23080) vendor-advisory

access.redhat.com/errata/RHSA-2026:0001 (RHSA-2026:0001) vendor-advisory

access.redhat.com/errata/RHSA-2026:0076 (RHSA-2026:0076) vendor-advisory

access.redhat.com/errata/RHSA-2026:0077 (RHSA-2026:0077) vendor-advisory

access.redhat.com/errata/RHSA-2026:0078 (RHSA-2026:0078) vendor-advisory

access.redhat.com/security/cve/CVE-2025-9900 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2392784 (RHBZ#2392784) issue-tracking

github.com/...Tiff-4.7.0-Write-What-Where?tab=readme-ov-file

gitlab.com/libtiff/libtiff/-/issues/704

gitlab.com/libtiff/libtiff/-/merge_requests/732

libtiff.gitlab.io/libtiff/releases/v4.7.1.html

cve.org (CVE-2025-9900)

nvd.nist.gov (CVE-2025-9900)

Download JSON