CVE-2025-9900

EUVD-2025-30917
A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file.

By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
Debian logo
Debian Releases
Debian Product
Codename
tiff
bookworm
4.5.0-6+deb12u4
fixed
bookworm (security)
4.5.0-6+deb12u4
fixed
bullseye
vulnerable
bullseye (security)
4.2.0-1+deb11u8
fixed
forky
4.7.1-2
fixed
sid
4.7.1-2
fixed
trixie
4.7.0-3+deb13u2
fixed
trixie (security)
4.7.0-3+deb13u2
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libtiff-devel
suse enterprise desktop 15 SP6
4.7.1-150600.3.23.1
fixed
suse enterprise desktop 15 SP7
4.7.1-150600.3.23.1
fixed
suse enterprise sap 15 SP3
4.0.9-150000.45.60.1
fixed
suse enterprise sap 15 SP4
4.0.9-150000.45.60.1
fixed
suse enterprise sap 15 SP5
4.0.9-150000.45.60.1
fixed
suse enterprise sap 15 SP6
4.7.1-150600.3.23.1
fixed
suse enterprise sap 15 SP7
4.7.1-150600.3.23.1
fixed
suse enterprise server 12 SP5
4.0.9-44.97.1
fixed
suse enterprise server 15 SP2
4.0.9-150000.45.60.1
fixed
suse enterprise server 15 SP3
4.0.9-150000.45.60.1
fixed
suse enterprise server 15 SP4
4.0.9-150000.45.60.1
fixed
suse enterprise server 15 SP5
4.0.9-150000.45.60.1
fixed
suse enterprise server 15 SP6
4.7.1-150600.3.23.1
fixed
suse enterprise server 15 SP7
4.7.1-150600.3.23.1
fixed
libtiff5
suse enterprise desktop 15 SP6
4.0.9-150000.45.60.1
fixed
suse enterprise desktop 15 SP7
4.0.9-150000.45.60.1
fixed
suse enterprise sap 15 SP3
4.0.9-150000.45.60.1
fixed
suse enterprise sap 15 SP4
4.0.9-150000.45.60.1
fixed
suse enterprise sap 15 SP5
4.0.9-150000.45.60.1
fixed
suse enterprise sap 15 SP6
4.0.9-150000.45.60.1
fixed
suse enterprise sap 15 SP7
4.0.9-150000.45.60.1
fixed
suse enterprise server 12 SP3
4.0.9-44.97.1
fixed
suse enterprise server 12 SP5
4.0.9-44.97.1
fixed
suse enterprise server 15 SP2
4.0.9-150000.45.60.1
fixed
suse enterprise server 15 SP3
4.0.9-150000.45.60.1
fixed
suse enterprise server 15 SP4
4.0.9-150000.45.60.1
fixed
suse enterprise server 15 SP5
4.0.9-150000.45.60.1
fixed
suse enterprise server 15 SP6
4.0.9-150000.45.60.1
fixed
suse enterprise server 15 SP7
4.0.9-150000.45.60.1
fixed
libtiff5-32bit
suse enterprise desktop 15 SP6
4.0.9-150000.45.60.1
fixed
suse enterprise desktop 15 SP7
4.0.9-150000.45.60.1
fixed
suse enterprise sap 15 SP3
4.0.9-150000.45.60.1
fixed
suse enterprise sap 15 SP4
4.0.9-150000.45.60.1
fixed
suse enterprise sap 15 SP5
4.0.9-150000.45.60.1
fixed
suse enterprise sap 15 SP6
4.0.9-150000.45.60.1
fixed
suse enterprise sap 15 SP7
4.0.9-150000.45.60.1
fixed
suse enterprise server 12 SP3
4.0.9-44.97.1
fixed
suse enterprise server 12 SP5
4.0.9-44.97.1
fixed
suse enterprise server 15 SP2
4.0.9-150000.45.60.1
fixed
suse enterprise server 15 SP3
4.0.9-150000.45.60.1
fixed
suse enterprise server 15 SP4
4.0.9-150000.45.60.1
fixed
suse enterprise server 15 SP5
4.0.9-150000.45.60.1
fixed
suse enterprise server 15 SP6
4.0.9-150000.45.60.1
fixed
suse enterprise server 15 SP7
4.0.9-150000.45.60.1
fixed
libtiff6
suse enterprise desktop 15 SP6
4.7.1-150600.3.23.1
fixed
suse enterprise desktop 15 SP7
4.7.1-150600.3.23.1
fixed
suse enterprise sap 15 SP6
4.7.1-150600.3.23.1
fixed
suse enterprise sap 15 SP7
4.7.1-150600.3.23.1
fixed
suse enterprise server 15 SP6
4.7.1-150600.3.23.1
fixed
suse enterprise server 15 SP7
4.7.1-150600.3.23.1
fixed
libtiff6-32bit
suse enterprise desktop 15 SP6
4.7.1-150600.3.23.1
fixed
suse enterprise desktop 15 SP7
4.7.1-150600.3.23.1
fixed
suse enterprise sap 15 SP6
4.7.1-150600.3.23.1
fixed
suse enterprise sap 15 SP7
4.7.1-150600.3.23.1
fixed
suse enterprise server 15 SP6
4.7.1-150600.3.23.1
fixed
suse enterprise server 15 SP7
4.7.1-150600.3.23.1
fixed
tiff
suse enterprise server 12 SP3
4.0.9-44.97.1
fixed
suse enterprise server 12 SP5
4.0.9-44.97.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
libtiff
RHEL 8
0:4.0.9-35.el8_10
fixed
RHEL 8.2 AUS
0:4.0.9-17.el8_2.1
fixed
RHEL 8.4 AUS
0:4.0.9-18.el8_4.1
fixed
RHEL 8.6 AUS
0:4.0.9-21.el8_6.1
fixed
RHEL 8.6 E4S
0:4.0.9-21.el8_6.1
fixed
RHEL 8.6 TUS
0:4.0.9-21.el8_6.1
fixed
RHEL 8.8 E4S
0:4.0.9-29.el8_8.1
fixed
RHEL 8.8 TUS
0:4.0.9-29.el8_8.1
fixed
RHEL 9
0:4.4.0-15.el9_7.2
fixed
libtiff-devel
RHEL 8
0:4.0.9-35.el8_10
fixed
RHEL 8.2 AUS
0:4.0.9-17.el8_2.1
fixed
RHEL 8.4 AUS
0:4.0.9-18.el8_4.1
fixed
RHEL 8.6 AUS
0:4.0.9-21.el8_6.1
fixed
RHEL 8.6 E4S
0:4.0.9-21.el8_6.1
fixed
RHEL 8.6 TUS
0:4.0.9-21.el8_6.1
fixed
RHEL 8.8 E4S
0:4.0.9-29.el8_8.1
fixed
RHEL 8.8 TUS
0:4.0.9-29.el8_8.1
fixed
RHEL 9
0:4.4.0-15.el9_7.2
fixed
libtiff-tools
RHEL 8
0:4.0.9-35.el8_10
fixed
RHEL 9
0:4.4.0-15.el9_7.2
fixed
mingw32-libtiff
RHEL 8
0:4.0.9-3.el8_10
fixed
mingw32-libtiff-static
RHEL 8
0:4.0.9-3.el8_10
fixed
mingw64-libtiff
RHEL 8
0:4.0.9-3.el8_10
fixed
mingw64-libtiff-static
RHEL 8
0:4.0.9-3.el8_10
fixed
spice-client-win-x64
RHEL 8.2 AUS
0:8.10-3.el8_2.1
fixed
RHEL 8.4 AUS
0:8.10-3.el8_4.1
fixed
RHEL 8.6 AUS
0:8.10-3.el8_6.1
fixed
RHEL 8.6 E4S
0:8.10-3.el8_6.1
fixed
RHEL 8.6 TUS
0:8.10-3.el8_6.1
fixed
RHEL 8.8 E4S
0:8.10-3.el8_8.1
fixed
RHEL 8.8 TUS
0:8.10-3.el8_8.1
fixed
spice-client-win-x86
RHEL 8.2 AUS
0:8.10-3.el8_2.1
fixed
RHEL 8.4 AUS
0:8.10-3.el8_4.1
fixed
RHEL 8.6 AUS
0:8.10-3.el8_6.1
fixed
RHEL 8.6 E4S
0:8.10-3.el8_6.1
fixed
RHEL 8.6 TUS
0:8.10-3.el8_6.1
fixed
RHEL 8.8 E4S
0:8.10-3.el8_8.1
fixed
RHEL 8.8 TUS
0:8.10-3.el8_8.1
fixed
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2025:17651
https://access.redhat.com/errata/RHSA-2025:17675
https://access.redhat.com/errata/RHSA-2025:17710
https://access.redhat.com/errata/RHSA-2025:17738
https://access.redhat.com/errata/RHSA-2025:17739
https://access.redhat.com/errata/RHSA-2025:17740
https://access.redhat.com/errata/RHSA-2025:19113
https://access.redhat.com/errata/RHSA-2025:19156
https://access.redhat.com/errata/RHSA-2025:19276
https://access.redhat.com/errata/RHSA-2025:19906
https://access.redhat.com/errata/RHSA-2025:19947
https://access.redhat.com/errata/RHSA-2025:20956
https://access.redhat.com/errata/RHSA-2025:20998
https://access.redhat.com/errata/RHSA-2025:21060
https://access.redhat.com/errata/RHSA-2025:21061
https://access.redhat.com/errata/RHSA-2025:21062
https://access.redhat.com/errata/RHSA-2025:21407
https://access.redhat.com/errata/RHSA-2025:21506
https://access.redhat.com/errata/RHSA-2025:21507
https://access.redhat.com/errata/RHSA-2025:21508
https://access.redhat.com/errata/RHSA-2025:21994
https://access.redhat.com/errata/RHSA-2025:23078
https://access.redhat.com/errata/RHSA-2025:23079
https://access.redhat.com/errata/RHSA-2025:23080
https://access.redhat.com/errata/RHSA-2026:0001
https://access.redhat.com/errata/RHSA-2026:0076
https://access.redhat.com/errata/RHSA-2026:0077
https://access.redhat.com/errata/RHSA-2026:0078
https://access.redhat.com/errata/RHSA-2026:3461
https://access.redhat.com/errata/RHSA-2026:3462
https://access.redhat.com/errata/RHSA-2026:7504
https://access.redhat.com/security/cve/CVE-2025-9900
https://bugzilla.redhat.com/show_bug.cgi?id=2392784
https://github.com/SexyShoelessGodofWar/LibTiff-4.7.0-Write-What-Where?tab=readme-ov-file
https://gitlab.com/libtiff/libtiff/-/issues/704
https://gitlab.com/libtiff/libtiff/-/merge_requests/732
https://libtiff.gitlab.io/libtiff/releases/v4.7.1.html
http://www.openwall.com/lists/oss-security/2025/09/26/3
https://lists.debian.org/debian-lts-announce/2025/09/msg00031.html
https://github.com/SexyShoelessGodofWar/LibTiff-4.7.0-Write-What-Where?tab=readme-ov-file