CVE-2025-61143
published 2026-02-23CVE-2025-61143: libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c.
PriorityP417medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
0.11%
1.7th percentile
libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tiff | < tiff 4.7.1-1 (forky) | tiff 4.7.1-1 (forky) |
| libtiff | libtiff | < 4.7.1 | 4.7.1 |
| msrc | azl3_libtiff_4.6.0-11_on_azure_linux_3.0 | — | — |
| msrc | cbl2_libtiff_4.6.0-11_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
osv5.5MEDIUM
vendor_debian5.5LOW
vendor_msrc5.5MEDIUM
vendor_redhat5.5MEDIUM
vendor_ubuntu5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
tiff vulnerabilities
osv·2026-03-23·CVSS 5.5
CVE-2025-61143 [MEDIUM] tiff vulnerabilities
tiff vulnerabilities
It was discovered that LibTIFF did not properly handle memory when
processing certain images. An attacker could possibly use this issue to
cause LibTIFF to crash, resulting in a denial of service. (CVE-2025-61143)
It was discovered that LibTIFF did not properly handle memory when
processing malformed TIFF directories. An attacker could possibly use this
issue to cause LibTIFF to crash, resulting in a denial of service.
(CVE-2025-61144)
OSV
CVE-2025-61143: libtiff up to v4
osv·2026-02-23·CVSS 5.5
CVE-2025-61143 [MEDIUM] CVE-2025-61143: libtiff up to v4
libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c.
GHSA
GHSA-p884-v7p5-5858: libtiff up to v4
ghsa_unreviewed·2026-02-23
CVE-2025-61143 [MEDIUM] CWE-476 GHSA-p884-v7p5-5858: libtiff up to v4
libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c.
Ubuntu
LibTIFF vulnerabilities
vendor_ubuntu·2026-03-23·CVSS 5.5
CVE-2025-61143 [MEDIUM] LibTIFF vulnerabilities
Title: LibTIFF vulnerabilities
Summary: Several security issues were fixed in LibTIFF.
It was discovered that LibTIFF did not properly handle memory when
processing certain images. An attacker could possibly use this issue to
cause LibTIFF to crash, resulting in a denial of service. (CVE-2025-61143)
It was discovered that LibTIFF did not properly handle memory when
processing malformed TIFF directories. An attacker could possibly use this
issue to cause LibTIFF to crash, resulting in a denial of service.
(CVE-2025-61144)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
libtiff: libtiff: Denial of Service via NULL pointer dereference in tif_open.c
vendor_redhat·2026-02-23·CVSS 5.5
CVE-2025-61143 [MEDIUM] CWE-476 libtiff: libtiff: Denial of Service via NULL pointer dereference in tif_open.c
libtiff: libtiff: Denial of Service via NULL pointer dereference in tif_open.c
libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c.
A flaw was found in libtiff. This vulnerability, a NULL pointer dereference, occurs in the `tif_open.c` component. An attacker could exploit this by providing specially crafted input, leading to a Denial of Service (DoS) due to an application crash.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: libtiff (Red Hat Enterprise Linux 10) - Fix deferred
Package: libtiff (Red Hat Enterprise Linux 6)
Microsoft
libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c.
vendor_msrc·2026-02-10·CVSS 5.5
CVE-2025-61143 [MEDIUM] CWE-476 libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c.
libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c.
Mariner: Mariner
mitre: mitre
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Debian
CVE-2025-61143: tiff - libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via th...
vendor_debian·2025·CVSS 5.5
CVE-2025-61143 [MEDIUM] CVE-2025-61143: tiff - libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via th...
libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 4.7.1-1)
sid: resolved (fixed in 4.7.1-1)
trixie: open
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-61143 iv: libtiff: Denial of Service via NULL pointer dereference in tif_open.c [fedora-42]
bugzilla·2026-02-23·CVSS 5.5
CVE-2025-61143 [MEDIUM] CVE-2025-61143 iv: libtiff: Denial of Service via NULL pointer dereference in tif_open.c [fedora-42]
CVE-2025-61143 iv: libtiff: Denial of Service via NULL pointer dereference in tif_open.c [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained versi
Bugzilla
CVE-2025-61143 tkimg: libtiff: Denial of Service via NULL pointer dereference in tif_open.c [fedora-42]
bugzilla·2026-02-23·CVSS 5.5
CVE-2025-61143 [MEDIUM] CVE-2025-61143 tkimg: libtiff: Denial of Service via NULL pointer dereference in tif_open.c [fedora-42]
CVE-2025-61143 tkimg: libtiff: Denial of Service via NULL pointer dereference in tif_open.c [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained ve
Bugzilla
CVE-2025-61143 libtiff: libtiff: Denial of Service via NULL pointer dereference in tif_open.c [fedora-42]
bugzilla·2026-02-23·CVSS 5.5
CVE-2025-61143 [MEDIUM] CVE-2025-61143 libtiff: libtiff: Denial of Service via NULL pointer dereference in tif_open.c [fedora-42]
CVE-2025-61143 libtiff: libtiff: Denial of Service via NULL pointer dereference in tif_open.c [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained
Bugzilla
CVE-2025-61143 mingw-libtiff: libtiff: Denial of Service via NULL pointer dereference in tif_open.c [fedora-42]
bugzilla·2026-02-23·CVSS 5.5
CVE-2025-61143 [MEDIUM] CVE-2025-61143 mingw-libtiff: libtiff: Denial of Service via NULL pointer dereference in tif_open.c [fedora-42]
CVE-2025-61143 mingw-libtiff: libtiff: Denial of Service via NULL pointer dereference in tif_open.c [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maint
Wiz
CVE-2025-61143 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2025-61143 [MEDIUM] CVE-2025-61143 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61143 :
NixOS vulnerability analysis and mitigation
libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c.
Source : NVD
## 5.5
Score
Published February 23, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
NixOS
Alma Linux
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mingw64-libtiff
compat-libtiff3-debuginfo
Sources
NVD
CBL-Mariner 2.0, 3.0 Severity MEDIUM Has Fix Added at: Mar 02, 2026
Debian 11, 12, 13 Severity LOW No Fix Added at: Feb 24, 2026
Debian 14 Severity LOW Has Fix Added at: Feb 24, 2026
Echo Severity MEDIUM Has Fi
2026-02-23
Published