CVE-2025-8851
published 2025-08-11CVE-2025-8851: A vulnerability was determined in LibTIFF up to 4.5.1. Affected by this issue is the function readSeparateStripsetoBuffer of the file tools/tiffcrop.c of the…
PriorityP427medium5.3CVSS 3.1
AVLACLPRLUINSUCLILAL
EPSS
0.16%
5.8th percentile
A vulnerability was determined in LibTIFF up to 4.5.1. Affected by this issue is the function readSeparateStripsetoBuffer of the file tools/tiffcrop.c of the component tiffcrop. The manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The patch is identified as 8a7a48d7a645992ca83062b3a1873c951661e2b3. It is recommended to apply a patch to fix this issue.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tiff | < tiff 4.7.0-1 (forky) | tiff 4.7.0-1 (forky) |
| libtiff | libtiff | <= 4.5.1 | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| msrc | azl3_libtiff_4.6.0-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_libtiff_4.6.0-8_on_azure_linux_3.0 | — | — |
| msrc | cbl2_libtiff_4.6.0-6_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_libtiff_4.6.0-8_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.04.8MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.04.3MEDIUMAV:L/AC:L/Au:S/C:P/I:P/A:P
osv4.8MEDIUM
vendor_msrc5.3MEDIUM
vendor_ubuntu5.3MEDIUM
vendor_debian4.8LOW
vendor_redhat4.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
LibTIFF vulnerabilities
vendor_ubuntu·2025-08-20·CVSS 5.3
CVE-2025-8176 [MEDIUM] LibTIFF vulnerabilities
Title: LibTIFF vulnerabilities
Summary: Several security issues were fixed in LibTIFF.
It was discovered that LibTIFF incorrectly handled certain memory
operations when using tiffmedian tool. An attacker could trick a user into
processing a specially crafted tiff image file and potentially use this
issue to cause a denial of service. (CVE-2025-8176)
It was discovered that LibTIFF did not properly perform bounds checking
in certain operations when using thumbnail tool. An attacker could trick
a user into processing a specially crafted tiff image file and
potentially use this issue to cause a denial of service. This issue only
affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2025-8177)
It was discovered that LibTIFF incorrectly handled certain memory
operations when using tiff2ps too
Microsoft
LibTIFF tiffcrop tiffcrop.c readSeparateStripsetoBuffer stack-based overflow
vendor_msrc·2025-08-12·CVSS 5.3
CVE-2025-8851 [MEDIUM] CWE-121 LibTIFF tiffcrop tiffcrop.c readSeparateStripsetoBuffer stack-based overflow
LibTIFF tiffcrop tiffcrop.c readSeparateStripsetoBuffer stack-based overflow
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
VulDB: VulDB
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Ref
Red Hat
libtiff: LibTIFF Stack-based buffer overflow
vendor_redhat·2025-08-11·CVSS 4.8
CVE-2025-8851 [MEDIUM] CWE-805 libtiff: LibTIFF Stack-based buffer overflow
libtiff: LibTIFF Stack-based buffer overflow
A vulnerability was determined in LibTIFF up to 4.5.1. Affected by this issue is the function readSeparateStripsetoBuffer of the file tools/tiffcrop.c of the component tiffcrop. The manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The patch is identified as 8a7a48d7a645992ca83062b3a1873c951661e2b3. It is recommended to apply a patch to fix this issue.
A stack based buffer overflow flaw has been discovered in libTIFF. An attacker with local access may be able to craft input to the readSeparateStripsetoBuffer function in the file tools/tiffcrop.c that triggers this flaw. This issue could allow an attacker to achieve local code execution in the context of the affected process.
Mitigation: Mitig
Debian
CVE-2025-8851: tiff - A vulnerability was determined in LibTIFF up to 4.5.1. Affected by this issue is...
vendor_debian·2025·CVSS 4.8
CVE-2025-8851 [MEDIUM] CVE-2025-8851: tiff - A vulnerability was determined in LibTIFF up to 4.5.1. Affected by this issue is...
A vulnerability was determined in LibTIFF up to 4.5.1. Affected by this issue is the function readSeparateStripsetoBuffer of the file tools/tiffcrop.c of the component tiffcrop. The manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The patch is identified as 8a7a48d7a645992ca83062b3a1873c951661e2b3. It is recommended to apply a patch to fix this issue.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 4.7.0-1)
sid: resolved (fixed in 4.7.0-1)
trixie: resolved (fixed in 4.7.0-1)
OSV
tiff vulnerabilities
osv·2025-08-20·CVSS 4.8
CVE-2025-8176 [MEDIUM] tiff vulnerabilities
tiff vulnerabilities
It was discovered that LibTIFF incorrectly handled certain memory
operations when using tiffmedian tool. An attacker could trick a user into
processing a specially crafted tiff image file and potentially use this
issue to cause a denial of service. (CVE-2025-8176)
It was discovered that LibTIFF did not properly perform bounds checking
in certain operations when using thumbnail tool. An attacker could trick
a user into processing a specially crafted tiff image file and
potentially use this issue to cause a denial of service. This issue only
affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2025-8177)
It was discovered that LibTIFF incorrectly handled certain memory
operations when using tiff2ps tool. An attacker could trick a user into
processing a specially craft
GHSA
GHSA-mcqf-6qjh-v78v: A vulnerability was determined in LibTIFF up to 4
ghsa_unreviewed·2025-08-11
CVE-2025-8851 [MEDIUM] CWE-119 GHSA-mcqf-6qjh-v78v: A vulnerability was determined in LibTIFF up to 4
A vulnerability was determined in LibTIFF up to 4.5.1. Affected by this issue is the function readSeparateStripsetoBuffer of the file tools/tiffcrop.c of the component tiffcrop. The manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The patch is identified as 8a7a48d7a645992ca83062b3a1873c951661e2b3. It is recommended to apply a patch to fix this issue.
OSV
CVE-2025-8851: A vulnerability was determined in LibTIFF up to 4
osv·2025-08-11·CVSS 4.8
CVE-2025-8851 [MEDIUM] CVE-2025-8851: A vulnerability was determined in LibTIFF up to 4
A vulnerability was determined in LibTIFF up to 4.5.1. Affected by this issue is the function readSeparateStripsetoBuffer of the file tools/tiffcrop.c of the component tiffcrop. The manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The patch is identified as 8a7a48d7a645992ca83062b3a1873c951661e2b3. It is recommended to apply a patch to fix this issue.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-8851 iv: LibTIFF Stack-based buffer overflow [fedora-42]
bugzilla·2025-08-11·CVSS 4.8
CVE-2025-8851 [MEDIUM] CVE-2025-8851 iv: LibTIFF Stack-based buffer overflow [fedora-42]
CVE-2025-8851 iv: LibTIFF Stack-based buffer overflow [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases
Bugzilla
CVE-2025-8851 mingw-libtiff: LibTIFF Stack-based buffer overflow [fedora-42]
bugzilla·2025-08-11·CVSS 4.8
CVE-2025-8851 [MEDIUM] CVE-2025-8851 mingw-libtiff: LibTIFF Stack-based buffer overflow [fedora-42]
CVE-2025-8851 mingw-libtiff: LibTIFF Stack-based buffer overflow [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports fro
2025-08-11
Published