CVE-2025-9900 - Vulnerability Details

A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file.

By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00044.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Long Life Rhel Tus

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-4315-1	tiff security update
Debian DSA	DSA-6023-1	tiff security update
EUVD	EUVD-2025-30917	A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.
Ubuntu USN	USN-7783-1	LibTIFF vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2025/09/26/3
https://access.redhat.com/errata/RHSA-2025:17651
https://access.redhat.com/errata/RHSA-2025:17675
https://access.redhat.com/errata/RHSA-2025:17710
https://access.redhat.com/errata/RHSA-2025:17738
https://access.redhat.com/errata/RHSA-2025:17739
https://access.redhat.com/errata/RHSA-2025:17740
https://access.redhat.com/errata/RHSA-2025:19113
https://access.redhat.com/errata/RHSA-2025:19156
https://access.redhat.com/errata/RHSA-2025:19276
https://access.redhat.com/security/cve/CVE-2025-9900
https://bugzilla.redhat.com/show_bug.cgi?id=2392784
https://github.com/SexyShoelessGodofWar/LibTiff-4.7.0-Write-What-Where?tab=readme-ov-file
https://lists.debian.org/debian-lts-announce/2025/09/msg00031.html
https://nvd.nist.gov/vuln/detail/CVE-2025-9900
https://www.cve.org/CVERecord?id=CVE-2025-9900

History

Tue, 04 Nov 2025 22:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/09/26/3

Mon, 03 Nov 2025 19:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/09/msg00031.html

Thu, 30 Oct 2025 01:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8::crb
References		https://access.redhat.com/errata/RHSA-2025:19276

Tue, 28 Oct 2025 11:30:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:10~~	cpe:/o:redhat:enterprise_linux:10.0
References		https://access.redhat.com/errata/RHSA-2025:19156

Tue, 28 Oct 2025 00:45:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:9~~	cpe:/a:redhat:enterprise_linux:9::appstream cpe:/a:redhat:enterprise_linux:9::crb
References		https://access.redhat.com/errata/RHSA-2025:19113

Mon, 13 Oct 2025 02:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel E4s Redhat rhel Tus
CPEs		cpe:/a:redhat:rhel_aus:8.2::appstream cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_e4s:8.6::appstream cpe:/a:redhat:rhel_e4s:8.8::appstream cpe:/a:redhat:rhel_tus:8.6::appstream cpe:/a:redhat:rhel_tus:8.8::appstream
Vendors & Products		Redhat rhel E4s Redhat rhel Tus
References		https://access.redhat.com/errata/RHSA-2025:17738 https://access.redhat.com/errata/RHSA-2025:17739 https://access.redhat.com/errata/RHSA-2025:17740

Thu, 09 Oct 2025 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Els
CPEs		cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel Els
References		https://access.redhat.com/errata/RHSA-2025:17710

Thu, 09 Oct 2025 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel Eus Long Life
CPEs		cpe:/a:redhat:enterprise_linux:8::appstream cpe:/a:redhat:rhel_aus:8.4::appstream cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
Vendors & Products		Redhat rhel Aus Redhat rhel Eus Long Life
References		https://access.redhat.com/errata/RHSA-2025:17651 https://access.redhat.com/errata/RHSA-2025:17675

Wed, 08 Oct 2025 14:15:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:rhivos:1~~
Vendors & Products	Redhat rhivos

Wed, 01 Oct 2025 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhivos
CPEs		cpe:/o:redhat:rhivos:1
Vendors & Products		Redhat rhivos

Tue, 23 Sep 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 23 Sep 2025 16:45:00 +0000

Type	Values Removed	Values Added
Description	No description is available for this CVE.	A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.
Title	libtiff: Libtiff Write-What-Where	Libtiff: libtiff write-what-where
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2025-9900 https://bugzilla.redhat.com/show_bug.cgi?id=2392784

Tue, 23 Sep 2025 00:15:00 +0000

Type	Values Removed	Values Added
Description		No description is available for this CVE.
Title		libtiff: Libtiff Write-What-Where
Weaknesses		CWE-123
References		https://github.com/SexyShoelessGodofWar/LibTiff-4.7.0-Write-What-Where?tab=readme-ov-file https://nvd.nist.gov/vuln/detail/CVE-2025-9900 https://www.cve.org/CVERecord?id=CVE-2025-9900
Metrics	threat_severity `None`	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` threat_severity `Important`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-09-23T16:26:22.846Z

Updated: 2025-11-04T21:15:25.287Z

Reserved: 2025-09-03T03:01:04.778Z

Link: CVE-2025-9900

Vulnrichment

Updated: 2025-11-04T21:15:25.287Z

NVD

Status : Undergoing Analysis

Published: 2025-09-23T17:15:38.357

Modified: 2025-11-04T22:16:46.070

Link: CVE-2025-9900

Redhat

Severity : Important

Publid Date: 2025-09-22T14:29:35Z

Links: CVE-2025-9900 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object