CVE-2025-9900
📋 TL;DR
This CVE describes a write-what-where vulnerability in Libtiff where processing a specially crafted TIFF image with an abnormally large height value allows an attacker to write arbitrary color data to any memory location. This can lead to denial of service (application crashes) or arbitrary code execution with user permissions. Any system or application using vulnerable versions of Libtiff to process TIFF images is affected.
💻 Affected Systems
- Libtiff
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Arbitrary code execution with the permissions of the user running the vulnerable application, potentially leading to full system compromise.
Likely Case
Application crash (denial of service) when processing malicious TIFF files, disrupting services that handle image processing.
If Mitigated
Limited impact if proper input validation and memory protections are in place, potentially causing only crashes without code execution.
🎯 Exploit Status
Exploitation requires crafting a malicious TIFF file and tricking a user or system into processing it; no authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisories for specific patched versions (e.g., via RHSA-2025:17651).
Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:17651
Restart Required: Yes
Instructions:
1. Identify affected systems using Libtiff. 2. Apply the latest patches from your vendor (e.g., Red Hat, Ubuntu). 3. Restart services or applications that use Libtiff to ensure the patch is active.
🔧 Temporary Workarounds
Disable TIFF Processing
allBlock or disable processing of TIFF files in vulnerable applications to prevent exploitation.
# Example for a web server: configure to reject TIFF MIME types
# Use application-specific settings to disable TIFF support
Input Validation
linuxImplement strict input validation to reject TIFF files with abnormal metadata values like large heights.
# Custom script to check TIFF metadata before processing
# Use tools like 'tiffinfo' to validate files
🧯 If You Can't Patch
- Implement network segmentation to isolate systems using Libtiff from untrusted sources.
- Use application whitelisting to restrict execution of vulnerable applications.
🔍 How to Verify
Check if Vulnerable:
Check the Libtiff version on your system; if it's within the affected range (consult Red Hat advisories), it is vulnerable.Check Version:
tiffinfo --version # On Linux/Unix systemsVerify Fix Applied:
Verify that the Libtiff version has been updated to a patched version as specified in vendor advisories.📡 Detection & Monitoring
Log Indicators:
- Application crashes or errors when processing TIFF files
- Unusual memory access patterns in system logs
Network Indicators:
- Inbound transfers of TIFF files to vulnerable systems
- Outbound connections after processing suspicious TIFF files
SIEM Query:
Example: search for 'libtiff' AND 'crash' OR 'error' in application logs within the last 24 hours.🔗 References
- https://access.redhat.com/errata/RHSA-2025:17651
- https://access.redhat.com/errata/RHSA-2025:17675
- https://access.redhat.com/errata/RHSA-2025:17710
- https://access.redhat.com/errata/RHSA-2025:17738
- https://access.redhat.com/errata/RHSA-2025:17739
- https://access.redhat.com/errata/RHSA-2025:17740
- https://access.redhat.com/errata/RHSA-2025:19113
- https://access.redhat.com/errata/RHSA-2025:19156
- https://access.redhat.com/errata/RHSA-2025:19276
- https://access.redhat.com/errata/RHSA-2025:19906
- https://access.redhat.com/errata/RHSA-2025:19947
- https://access.redhat.com/errata/RHSA-2025:20956
- https://access.redhat.com/errata/RHSA-2025:20998
- https://access.redhat.com/errata/RHSA-2025:21060
- https://access.redhat.com/errata/RHSA-2025:21061
- https://access.redhat.com/errata/RHSA-2025:21062
- https://access.redhat.com/errata/RHSA-2025:21407
- https://access.redhat.com/errata/RHSA-2025:21506
- https://access.redhat.com/errata/RHSA-2025:21507
- https://access.redhat.com/errata/RHSA-2025:21508
- https://access.redhat.com/errata/RHSA-2025:21994
- https://access.redhat.com/errata/RHSA-2025:23078
- https://access.redhat.com/errata/RHSA-2025:23079
- https://access.redhat.com/errata/RHSA-2025:23080
- https://access.redhat.com/errata/RHSA-2026:0001
- https://access.redhat.com/errata/RHSA-2026:0076
- https://access.redhat.com/errata/RHSA-2026:0077
- https://access.redhat.com/errata/RHSA-2026:0078
- https://access.redhat.com/errata/RHSA-2026:3461
- https://access.redhat.com/errata/RHSA-2026:3462
- https://access.redhat.com/security/cve/CVE-2025-9900
- https://bugzilla.redhat.com/show_bug.cgi?id=2392784
- https://github.com/SexyShoelessGodofWar/LibTiff-4.7.0-Write-What-Where?tab=readme-ov-file
- https://gitlab.com/libtiff/libtiff/-/issues/704
- https://gitlab.com/libtiff/libtiff/-/merge_requests/732
- https://libtiff.gitlab.io/libtiff/releases/v4.7.1.html
- http://www.openwall.com/lists/oss-security/2025/09/26/3
- https://lists.debian.org/debian-lts-announce/2025/09/msg00031.html
- https://github.com/SexyShoelessGodofWar/LibTiff-4.7.0-Write-What-Where?tab=readme-ov-file
