CVE-2025-8176

A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as critical. This vulnerability affects the function get_histogram of the file tools/tiffmedian.c. The manipulation leads to use after free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a patch to fix this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
VulDBCNA
5.3 MEDIUM
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
VendorProductVersion
libtifflibtiff
𝑥
≤ 4.7.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tiff
bullseye
unimportant
bullseye (security)
unimportant
bookworm
unimportant
bookworm (security)
unimportant
trixie
unimportant
trixie (security)
unimportant
forky
4.7.1-1
fixed
sid
4.7.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tiff
plucky
Fixed 4.5.1+git230720-4ubuntu4.1
released
noble
Fixed 4.5.1+git230720-4ubuntu2.3
released
jammy
Fixed 4.3.0-6ubuntu0.11
released
focal
Fixed 4.1.0+git191117-2ubuntu0.20.04.14+esm1
released
bionic
Fixed 4.0.9-5ubuntu0.10+esm8
released
xenial
Fixed 4.0.6-1ubuntu0.8+esm18
released
trusty
Fixed 4.0.3-7ubuntu0.11+esm15
released
Common Weakness Enumeration
References
http://www.libtiff.org/
https://gitlab.com/libtiff/libtiff/-/commit/fe10872e53efba9cc36c66ac4ab3b41a839d5172
https://gitlab.com/libtiff/libtiff/-/issues/707
https://gitlab.com/libtiff/libtiff/-/merge_requests/727
https://vuldb.com/?ctiid.317590
https://vuldb.com/?id.317590
https://vuldb.com/?submit.621796