CVE-2025-8534

EUVD-2025-23581

05.08.2025, 00:15

A vulnerability classified as problematic was found in libtiff 4.6.0. This vulnerability affects the function PS_Lvl2page of the file tools/tiff2ps.c of the component tiff2ps. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 6ba36f159fd396ad11bf6b7874554197736ecc8b. It is recommended to apply a patch to fix this issue. One of the maintainers explains, that "[t]his error only occurs if DEFER_STRILE_LOAD (defer-strile-load:BOOL=ON) or TIFFOpen( .. "rD") option is used."

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	2.5 LOW	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
VulDB	CNA	2.5 LOW				CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 7%

Affected Products (NVD)

Vendor	Product	Version
libtiff	libtiff	4.6.0

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

tiff

bionic	Fixed 4.0.9-5ubuntu0.10+esm8 released
focal	Fixed 4.1.0+git191117-2ubuntu0.20.04.14+esm1 released
jammy	Fixed 4.3.0-6ubuntu0.11 released
noble	Fixed 4.5.1+git230720-4ubuntu2.3 released
plucky	Fixed 4.5.1+git230720-4ubuntu4.1 released
questing	Fixed 4.7.0-3ubuntu2 released
trusty	Fixed 4.0.3-7ubuntu0.11+esm15 released
xenial	Fixed 4.0.6-1ubuntu0.8+esm18 released

qtwebengine-opensource-src

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
plucky	ignored
questing	needs-triage

texmaker

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
plucky	ignored
questing	needs-triage
xenial	needs-triage

gdal

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
plucky	not-affected
questing	not-affected
trusty	needs-triage
xenial	needs-triage

neuron

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	not-affected
plucky	not-affected
questing	not-affected

Known Exploits!

Common Weakness Enumeration

CWE-404 - Improper Resource Shutdown or Release
The program does not release or incorrectly releases a resource before it is made available for re-use.

References

http://www.libtiff.org/

https://drive.google.com/file/d/15JPA3kLYiYD-nRNJ8y8HmnYjhv9NE7k6/view?usp=drive_link

https://gitlab.com/libtiff/libtiff/-/commit/6ba36f159fd396ad11bf6b7874554197736ecc8b

https://gitlab.com/libtiff/libtiff/-/issues/718

https://gitlab.com/libtiff/libtiff/-/merge_requests/746

https://vuldb.com/?ctiid.318664

https://vuldb.com/?id.318664

https://vuldb.com/?submit.617831

https://gitlab.com/libtiff/libtiff/-/issues/718

https://vuldb.com/?submit.617831