CVE-2025-9900 | THREATINT

Description

A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.

PUBLISHED Reserved 2025-09-03 | Published 2025-09-23 | Updated 2025-11-07 | Assigner redhat

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

Write-what-where Condition

Product status

Default status

unaffected

Any version before 4.7.1

affected

Default status

affected

0:4.6.0-6.el10_0.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-12.el7_9.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-14.el8_10 (rpm) before *

unaffected

Default status

affected

0:4.0.9-35.el8_10 (rpm) before *

unaffected

Default status

affected

0:4.0.9-3.el8_10 (rpm) before *

unaffected

Default status

affected

0:3.9.4-13.el8_2.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-13.el8_4.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-13.el8_4.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-13.el8_6.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-13.el8_6.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-13.el8_6.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-13.el8_8.1 (rpm) before *

unaffected

Default status

affected

0:3.9.4-13.el8_8.1 (rpm) before *

unaffected

Default status

affected

0:4.4.0-13.el9_6.2 (rpm) before *

unaffected

Default status

unknown

Default status

affected

Timeline

2025-09-03:	Reported to Red Hat.
2025-09-22:	Made public.

Credits

Red Hat would like to thank Gareth C (AnchorSec Ltd.) for reporting this issue.

References

github.com/...Tiff-4.7.0-Write-What-Where?tab=readme-ov-file exploit

lists.debian.org/debian-lts-announce/2025/09/msg00031.html

www.openwall.com/lists/oss-security/2025/09/26/3

access.redhat.com/errata/RHSA-2025:17651 (RHSA-2025:17651) vendor-advisory

access.redhat.com/errata/RHSA-2025:17675 (RHSA-2025:17675) vendor-advisory

access.redhat.com/errata/RHSA-2025:17710 (RHSA-2025:17710) vendor-advisory

access.redhat.com/errata/RHSA-2025:17738 (RHSA-2025:17738) vendor-advisory

access.redhat.com/errata/RHSA-2025:17739 (RHSA-2025:17739) vendor-advisory

access.redhat.com/errata/RHSA-2025:17740 (RHSA-2025:17740) vendor-advisory

access.redhat.com/errata/RHSA-2025:19113 (RHSA-2025:19113) vendor-advisory

access.redhat.com/errata/RHSA-2025:19156 (RHSA-2025:19156) vendor-advisory

access.redhat.com/errata/RHSA-2025:19276 (RHSA-2025:19276) vendor-advisory

access.redhat.com/errata/RHSA-2025:19906 (RHSA-2025:19906) vendor-advisory

access.redhat.com/security/cve/CVE-2025-9900 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2392784 (RHBZ#2392784) issue-tracking

github.com/...Tiff-4.7.0-Write-What-Where?tab=readme-ov-file

gitlab.com/libtiff/libtiff/-/issues/704

gitlab.com/libtiff/libtiff/-/merge_requests/732

libtiff.gitlab.io/libtiff/releases/v4.7.1.html

cve.org (CVE-2025-9900)

nvd.nist.gov (CVE-2025-9900)

Download JSON

help @ threatint.eu