CVE-2025-9165 — Missing Release of Memory after Effective Lifetime in Libtiff

CWE-401 — Missing Release of Memory after Effective Lifetime CWE-404 — Improper Resource Shutdown or Release CWE-772 — Missing Release of Resource after Effective Lifetime9 documents8 sources

Severity

2.0LOWNVD

OSV4.8

EPSS

0.0%

top 91.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libtiff

Timeline

PublishedAug 19

Latest updateSep 29

Description

A flaw has been found in LibTIFF 4.7.0. This affects the function _TIFFmallocExt/_TIFFCheckRealloc/TIFFHashSetNew/InitCCITTFax3 of the file tools/tiffcmp.c of the component tiffcmp. Executing manipulation can lead to memory leak. The attack is restricted to local execution. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The exploit has been published and may be used. There is ongoing doubt regarding the real existence of this vulnerability.…

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5libtiff/libtiff4.7.0

▶NVDlibtiff/libtiff4.7.0

Patches

Patch: gitlab.com ↗Patch: gitlab.com ↗

🔴Vulnerability Details

OSV

tiff vulnerabilities↗2025-09-29

▶

GHSA

GHSA-64vg-6m9q-6vr3: A flaw has been found in LibTIFF 4↗2025-08-19

▶

OSV

CVE-2025-9165: A flaw has been found in LibTIFF 4↗2025-08-19

▶

CVEList

LibTIFF tiffcmp tiffcmp.c InitCCITTFax3 memory leak↗2025-08-19

▶

📋Vendor Advisories

Ubuntu

LibTIFF vulnerabilities↗2025-09-29

▶

Red Hat

libtiff: LibTIFF memory leak↗2025-08-19

▶

Microsoft

LibTIFF tiffcmp tiffcmp.c InitCCITTFax3 memory leak↗2025-08-12

▶

Debian

CVE-2025-9165: tiff - A flaw has been found in LibTIFF 4.7.0. This affects the function _TIFFmallocExt...↗2025

▶