CVE-2025-61145
published 2026-02-23CVE-2025-61145: libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c.
PriorityP418medium5CVSS 3.1
AVLACLPRLUIRSUCNINAH
EPSS
0.13%
3.1th percentile
libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tiff | < tiff 4.7.1-1 (forky) | tiff 4.7.1-1 (forky) |
| libtiff | libtiff | < 4.7.1 | 4.7.1 |
| msrc | azl3_libtiff_4.6.0-11_on_azure_linux_3.0 | — | — |
| msrc | cbl2_libtiff_4.6.0-11_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.15.0MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
osv5.0MEDIUM
vendor_msrc5.5MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-61145: libtiff up to v4
osv·2026-02-23·CVSS 5.0
CVE-2025-61145 [MEDIUM] CVE-2025-61145: libtiff up to v4
libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c.
GHSA
GHSA-5jj2-qhxw-rpq6: libtiff up to v4
ghsa_unreviewed·2026-02-23
CVE-2025-61145 [MEDIUM] CWE-415 GHSA-5jj2-qhxw-rpq6: libtiff up to v4
libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c.
Red Hat
libtiff: libtiff: Denial of service via double free in tiffcrop.c
vendor_redhat·2026-02-23·CVSS 5.0
CVE-2025-61145 [MEDIUM] CWE-1341 libtiff: libtiff: Denial of service via double free in tiffcrop.c
libtiff: libtiff: Denial of service via double free in tiffcrop.c
libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c.
A denial of service flaw via segmentation fault has been found in libtiff. This segmentation fault vulnerability is caused by accessing invalid or corrupted memory addresses during memory deallocation operations. The root issue lies in the cleanup logic of the main function where the program attempts to free memory that has been corrupted or points to an invalid memory region.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package
Microsoft
libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c.
vendor_msrc·2026-02-10·CVSS 5.5
CVE-2025-61145 [MEDIUM] CWE-415 libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c.
libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c.
Mariner: Mariner
mitre: mitre
Customer Action Required: Yes
Debian
CVE-2025-61145: tiff - libtiff up to v4.7.1 was discovered to contain a double free via the component t...
vendor_debian·2025·CVSS 5.0
CVE-2025-61145 [MEDIUM] CVE-2025-61145: tiff - libtiff up to v4.7.1 was discovered to contain a double free via the component t...
libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 4.7.1-1)
sid: resolved (fixed in 4.7.1-1)
trixie: open
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-61145 iv: libtiff: Denial of service via double free in tiffcrop.c [fedora-42]
bugzilla·2026-02-23·CVSS 5.0
CVE-2025-61145 [MEDIUM] CVE-2025-61145 iv: libtiff: Denial of service via double free in tiffcrop.c [fedora-42]
CVE-2025-61145 iv: libtiff: Denial of service via double free in tiffcrop.c [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change th
Bugzilla
CVE-2025-61145 tkimg: libtiff: Denial of service via double free in tiffcrop.c [fedora-42]
bugzilla·2026-02-23·CVSS 5.0
CVE-2025-61145 [MEDIUM] CVE-2025-61145 tkimg: libtiff: Denial of service via double free in tiffcrop.c [fedora-42]
CVE-2025-61145 tkimg: libtiff: Denial of service via double free in tiffcrop.c [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change
Bugzilla
CVE-2025-61145 libtiff: libtiff: Denial of service via double free in tiffcrop.c [fedora-42]
bugzilla·2026-02-23·CVSS 5.0
CVE-2025-61145 [MEDIUM] CVE-2025-61145 libtiff: libtiff: Denial of service via double free in tiffcrop.c [fedora-42]
CVE-2025-61145 libtiff: libtiff: Denial of service via double free in tiffcrop.c [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, chan
Bugzilla
CVE-2025-61145 mingw-libtiff: libtiff: Denial of service via double free in tiffcrop.c [fedora-42]
bugzilla·2026-02-23·CVSS 5.0
CVE-2025-61145 [MEDIUM] CVE-2025-61145 mingw-libtiff: libtiff: Denial of service via double free in tiffcrop.c [fedora-42]
CVE-2025-61145 mingw-libtiff: libtiff: Denial of service via double free in tiffcrop.c [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version
Wiz
CVE-2025-61145 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.0
CVE-2025-61145 [MEDIUM] CVE-2025-61145 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61145 :
NixOS vulnerability analysis and mitigation
libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c.
Source : NVD
## 5
Score
Published February 23, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
NixOS
Alma Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
libtiff-static
compat-libtiff3-debuginfo
Sources
NVD
CBL-Mariner 2.0, 3.0 Severity MEDIUM Has Fix Added at: Mar 03, 2026
Debian 11, 12, 13 Severity LOW No Fix Added at: Feb 24, 2026
Debian 14 Severity LOW Has Fix Added at: Feb 24, 2026
Echo Severity MEDIUM Has Fix Added at: Feb 24,
2026-02-23
Published