CVE-2025-9900

NameCVE-2025-9900
DescriptionA flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4315-1, DSA-6023-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tiff (PTS)bullseye4.2.0-1+deb11u5vulnerable
bullseye (security)4.2.0-1+deb11u7fixed
bookworm4.5.0-6+deb12u2vulnerable
bookworm (security)4.5.0-6+deb12u3fixed
trixie4.7.0-3vulnerable
trixie (security)4.7.0-3+deb13u1fixed
forky, sid4.7.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tiffsourcebullseye4.2.0-1+deb11u7DLA-4315-1
tiffsourcebookworm4.5.0-6+deb12u3DSA-6023-1
tiffsourcetrixie4.7.0-3+deb13u1DSA-6023-1
tiffsource(unstable)4.7.1-1

Notes

https://gitlab.com/libtiff/libtiff/-/issues/704
https://gitlab.com/libtiff/libtiff/-/merge_requests/732
https://gitlab.com/libtiff/libtiff/-/commit/3e0dcf0ec651638b2bd849b2e6f3124b36890d99 (v4.7.1rc1)
Search for package or bug name: Reporting problems