CVE-2025-8177
published 2025-07-26CVE-2025-8177: A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical. This issue affects the function setrow of the file tools/thumbnail.c. The…
PriorityP344high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.27%
18.7th percentile
A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical. This issue affects the function setrow of the file tools/thumbnail.c. The manipulation leads to buffer overflow. An attack has to be approached locally. The patch is named e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a patch to fix this issue. This vulnerability only affects products that are no longer supported by the maintainer.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tiff | < tiff 4.7.1-1 (forky) | tiff 4.7.1-1 (forky) |
| libtiff | libtiff | <= 4.7.0 | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| msrc | azl3_libtiff_4.6.0-7_on_azure_linux_3.0 | — | — |
| msrc | cbl2_libtiff_4.6.0-6_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_libtiff_4.6.0-8_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_curl_7.68.0-5_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.04.8MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.04.3MEDIUMAV:L/AC:L/Au:S/C:P/I:P/A:P
osv4.8MEDIUM
vendor_msrc7.8HIGH
vendor_ubuntu5.3MEDIUM
vendor_debian4.8LOW
vendor_redhat4.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
LibTIFF vulnerabilities
vendor_ubuntu·2025-08-20·CVSS 5.3
CVE-2025-8176 [MEDIUM] LibTIFF vulnerabilities
Title: LibTIFF vulnerabilities
Summary: Several security issues were fixed in LibTIFF.
It was discovered that LibTIFF incorrectly handled certain memory
operations when using tiffmedian tool. An attacker could trick a user into
processing a specially crafted tiff image file and potentially use this
issue to cause a denial of service. (CVE-2025-8176)
It was discovered that LibTIFF did not properly perform bounds checking
in certain operations when using thumbnail tool. An attacker could trick
a user into processing a specially crafted tiff image file and
potentially use this issue to cause a denial of service. This issue only
affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2025-8177)
It was discovered that LibTIFF incorrectly handled certain memory
operations when using tiff2ps too
Red Hat
libtiff: LibTIFF Buffer Overflow
vendor_redhat·2025-07-26·CVSS 4.8
CVE-2025-8177 [MEDIUM] CWE-120 libtiff: LibTIFF Buffer Overflow
libtiff: LibTIFF Buffer Overflow
A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical. This issue affects the function setrow of the file tools/thumbnail.c. The manipulation leads to buffer overflow. An attack has to be approached locally. The patch is named e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a patch to fix this issue. This vulnerability only affects products that are no longer supported by the maintainer.
A flaw was found in libtiff. The `setrow` function in `file tools/thumbnail.c` contains a buffer overflow vulnerability triggered by manipulation of image data, which can allow a local attacker to cause a denial of service. This overflow occurs when processing a crafted file. The vulnerability stems from insufficient bounds c
Microsoft
LibTIFF thumbnail.c setrow buffer overflow
vendor_msrc·2025-07-08·CVSS 5.3
CVE-2025-8177 [MEDIUM] CWE-120 LibTIFF thumbnail.c setrow buffer overflow
LibTIFF thumbnail.c setrow buffer overflow
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
VulDB: VulDB
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.co
Debian
CVE-2025-8177: tiff - A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical....
vendor_debian·2025·CVSS 4.8
CVE-2025-8177 [MEDIUM] CVE-2025-8177: tiff - A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical....
A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical. This issue affects the function setrow of the file tools/thumbnail.c. The manipulation leads to buffer overflow. An attack has to be approached locally. The patch is named e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a patch to fix this issue. This vulnerability only affects products that are no longer supported by the maintainer.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 4.7.1-1)
sid: resolved (fixed in 4.7.1-1)
trixie: open
Microsoft
curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.
vendor_msrc·2020-12-08·CVSS 7.8
CVE-2020-8177 [HIGH] CWE-74 curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.
curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Marin
OSV
tiff vulnerabilities
osv·2025-08-20·CVSS 4.8
CVE-2025-8176 [MEDIUM] tiff vulnerabilities
tiff vulnerabilities
It was discovered that LibTIFF incorrectly handled certain memory
operations when using tiffmedian tool. An attacker could trick a user into
processing a specially crafted tiff image file and potentially use this
issue to cause a denial of service. (CVE-2025-8176)
It was discovered that LibTIFF did not properly perform bounds checking
in certain operations when using thumbnail tool. An attacker could trick
a user into processing a specially crafted tiff image file and
potentially use this issue to cause a denial of service. This issue only
affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2025-8177)
It was discovered that LibTIFF incorrectly handled certain memory
operations when using tiff2ps tool. An attacker could trick a user into
processing a specially craft
OSV
CVE-2025-8177: A vulnerability was found in LibTIFF up to 4
osv·2025-07-26·CVSS 4.8
CVE-2025-8177 [MEDIUM] CVE-2025-8177: A vulnerability was found in LibTIFF up to 4
A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical. This issue affects the function setrow of the file tools/thumbnail.c. The manipulation leads to buffer overflow. An attack has to be approached locally. The patch is named e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a patch to fix this issue. This vulnerability only affects products that are no longer supported by the maintainer.
GHSA
GHSA-w743-578r-x56m: A vulnerability was found in LibTIFF up to 4
ghsa_unreviewed·2025-07-26
CVE-2025-8177 [MEDIUM] CWE-119 GHSA-w743-578r-x56m: A vulnerability was found in LibTIFF up to 4
A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical. This issue affects the function setrow of the file tools/thumbnail.c. The manipulation leads to buffer overflow. An attack has to be approached locally. The patch is named e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a patch to fix this issue. This vulnerability only affects products that are no longer supported by the maintainer.
No detection rules found.
No public exploits indexed.
http://www.libtiff.org/https://gitlab.com/libtiff/libtiff/-/commit/e8c9d6c616b19438695fd829e58ae4fde5bfbc22https://gitlab.com/libtiff/libtiff/-/issues/715https://gitlab.com/libtiff/libtiff/-/merge_requests/737https://vuldb.com/?ctiid.317591https://vuldb.com/?id.317591https://vuldb.com/?submit.621797https://gitlab.com/libtiff/libtiff/-/issues/715https://vuldb.com/?submit.621797
2025-07-26
Published