A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file.

By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.
Advisories
Source ID Title
Debian DLA Debian DLA DLA-4315-1 tiff security update
Debian DSA Debian DSA DSA-6023-1 tiff security update
EUVD EUVD EUVD-2025-30917 A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.
Ubuntu USN Ubuntu USN USN-7783-1 LibTIFF vulnerabilities
Fixes

Solution

No solution given by the vendor.


Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

History

Mon, 13 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.2::appstream
cpe:/a:redhat:rhel_aus:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.8::appstream
cpe:/a:redhat:rhel_tus:8.6::appstream
cpe:/a:redhat:rhel_tus:8.8::appstream
Vendors & Products Redhat rhel E4s
Redhat rhel Tus
References

Thu, 09 Oct 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els
References

Thu, 09 Oct 2025 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel Eus Long Life
CPEs cpe:/a:redhat:enterprise_linux:8::appstream
cpe:/a:redhat:rhel_aus:8.4::appstream
cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
Vendors & Products Redhat rhel Aus
Redhat rhel Eus Long Life
References

Wed, 08 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:rhivos:1
Vendors & Products Redhat rhivos

Wed, 01 Oct 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhivos
CPEs cpe:/o:redhat:rhivos:1
Vendors & Products Redhat rhivos

Tue, 23 Sep 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Sep 2025 16:45:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.
Title libtiff: Libtiff Write-What-Where Libtiff: libtiff write-what-where
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References

Tue, 23 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title libtiff: Libtiff Write-What-Where
Weaknesses CWE-123
References
Metrics threat_severity

None

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-10-13T01:25:47.180Z

Reserved: 2025-09-03T03:01:04.778Z

Link: CVE-2025-9900

cve-icon Vulnrichment

Updated: 2025-09-23T18:31:21.984Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-09-23T17:15:38.357

Modified: 2025-10-13T02:15:34.853

Link: CVE-2025-9900

cve-icon Redhat

Severity : Important

Publid Date: 2025-09-22T14:29:35Z

Links: CVE-2025-9900 - Bugzilla

cve-icon OpenCVE Enrichment

No data.