CVE-2025-9165

A flaw has been found in LibTIFF 4.7.0. This affects the function _TIFFmallocExt/_TIFFCheckRealloc/TIFFHashSetNew/InitCCITTFax3 of the file tools/tiffcmp.c of the component tiffcmp. Executing manipulation can lead to memory leak. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ed141286a37f6e5ddafb5069347ff5d587e7a4e0. It is best practice to apply a patch to resolve this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.3 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
VulDBCNA
3.3 LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Debian logo
Debian Releases
Debian Product
Codename
tiff
bullseye
vulnerable
bullseye (security)
vulnerable
bookworm
vulnerable
bookworm (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
Common Weakness Enumeration
Vulnerability Media Exposure
References
http://www.libtiff.org/
https://drive.google.com/file/d/1FWhmkzksH8-qU0ZM6seBzGNB3aPnX3G8/view?usp=sharing
https://gitlab.com/libtiff/libtiff/-/commit/ed141286a37f6e5ddafb5069347ff5d587e7a4e0
https://gitlab.com/libtiff/libtiff/-/issues/728
https://gitlab.com/libtiff/libtiff/-/merge_requests/747
https://vuldb.com/?ctiid.320543
https://vuldb.com/?id.320543
https://vuldb.com/?submit.630506
https://vuldb.com/?submit.630507