CVE-2025-9900Write-what-where Condition in Tiff

CWE-123Write-what-where Condition9 documents8 sources
Severity
8.8HIGHNVD
OSV4.8
EPSS
0.0%
top 89.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Debian TiffMsrc Azl3 Libtiff 4.6.0-8 ON Azure Linux 3.0Msrc Cbl2 Libtiff 4.6.0-8 ON CBL Mariner 2.0
Timeline
PublishedSep 23
Latest updateJan 15

Description

A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

debiandebian/tiff< tiff 4.5.0-6+deb12u3 (bookworm)

🔴Vulnerability Details

3
OSV
tiff vulnerabilities2025-09-29
OSV
CVE-2025-9900: A flaw was found in Libtiff2025-09-23
GHSA
GHSA-qc8j-wvjf-7jfj: A flaw was found in Libtiff2025-09-23

📋Vendor Advisories

5
Oracle
Oracle Oracle Communications Risk Matrix: Configuration Management Platform (LibTIFF) — CVE-2025-99002026-01-15
Ubuntu
LibTIFF vulnerabilities2025-09-29
Red Hat
libtiff: Libtiff Write-What-Where2025-09-22
Microsoft
Libtiff: libtiff write-what-where2025-09-09
Debian
CVE-2025-9900: tiff - A flaw was found in Libtiff. This vulnerability is a "write-what-where" conditio...2025