CVE-2025-9165

NameCVE-2025-9165
DescriptionA flaw has been found in LibTIFF 4.7.0. This affects the function _TIFFmallocExt/_TIFFCheckRealloc/TIFFHashSetNew/InitCCITTFax3 of the file tools/tiffcmp.c of the component tiffcmp. Executing manipulation can lead to memory leak. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ed141286a37f6e5ddafb5069347ff5d587e7a4e0. It is best practice to apply a patch to resolve this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1111878

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tiff (PTS)bullseye4.2.0-1+deb11u5vulnerable
bullseye (security)4.2.0-1+deb11u6vulnerable
bookworm4.5.0-6+deb12u2vulnerable
bookworm (security)4.5.0-6+deb12u1vulnerable
trixie4.7.0-3vulnerable
forky4.7.0-4fixed
sid4.7.0-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tiffsource(unstable)4.7.0-4unimportant1111878

Notes

https://gitlab.com/libtiff/libtiff/-/issues/728
https://gitlab.com/libtiff/libtiff/-/merge_requests/747
https://gitlab.com/libtiff/libtiff/-/commit/ed141286a37f6e5ddafb5069347ff5d587e7a4e0
Memory leak in CLI tool, no security impact

Search for package or bug name: Reporting problems