Nixpkgs security tracker

Permalink CVE-2025-9900

8.8 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 6 months, 2 weeks ago by @balsoft Activity log

Created suggestion 7 months, 2 weeks ago
@balsoft accepted 6 months, 2 weeks ago
@balsoft deleted
3 maintainers
- @sikmir
- @imincik
- @nialov
6 months, 2 weeks ago maintainer.delete
@balsoft added maintainer @balsoft 6 months, 2 weeks ago maintainer.add
@balsoft published on GitHub 6 months, 2 weeks ago

Libtiff: libtiff write-what-where

A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.

References

https://access.redhat.com/security/cve/CVE-2025-9900 vdb-entryx_refsource_REDHAT
RHBZ#2392784 issue-trackingx_refsource_REDHAT
https://github.com/SexyShoelessGodofWar/LibTiff-4.7.0-Write-What-Where?tab=read… exploit
RHSA-2025:17651 x_refsource_REDHATvendor-advisory
RHSA-2025:17675 x_refsource_REDHATvendor-advisory
RHSA-2025:17710 x_refsource_REDHATvendor-advisory
RHSA-2025:17738 x_refsource_REDHATvendor-advisory
RHSA-2025:17739 x_refsource_REDHATvendor-advisory
RHSA-2025:17740 x_refsource_REDHATvendor-advisory
RHSA-2025:19113 x_refsource_REDHATvendor-advisory
RHSA-2025:19156 x_refsource_REDHATvendor-advisory
RHSA-2025:19276 x_refsource_REDHATvendor-advisory
https://lists.debian.org/debian-lts-announce/2025/09/msg00031.html
http://www.openwall.com/lists/oss-security/2025/09/26/3
RHSA-2025:19906 x_refsource_REDHATvendor-advisory
https://gitlab.com/libtiff/libtiff/-/issues/704
https://gitlab.com/libtiff/libtiff/-/merge_requests/732
https://libtiff.gitlab.io/libtiff/releases/v4.7.1.html
RHSA-2025:19947 x_refsource_REDHATvendor-advisory
RHSA-2025:20956 x_refsource_REDHATvendor-advisory
RHSA-2025:20998 x_refsource_REDHATvendor-advisory
RHSA-2025:21060 x_refsource_REDHATvendor-advisory
RHSA-2025:21061 x_refsource_REDHATvendor-advisory
RHSA-2025:21062 x_refsource_REDHATvendor-advisory
RHSA-2025:21407 x_refsource_REDHATvendor-advisory
RHSA-2025:21506 x_refsource_REDHATvendor-advisory
RHSA-2025:21507 x_refsource_REDHATvendor-advisory
RHSA-2025:21508 x_refsource_REDHATvendor-advisory
RHSA-2025:21994 x_refsource_REDHATvendor-advisory
RHSA-2025:23078 x_refsource_REDHATvendor-advisory
RHSA-2025:23079 x_refsource_REDHATvendor-advisory
RHSA-2025:23080 x_refsource_REDHATvendor-advisory
RHSA-2026:0001 x_refsource_REDHATvendor-advisory
RHSA-2026:0078 x_refsource_REDHATvendor-advisory
RHSA-2026:0076 x_refsource_REDHATvendor-advisory
RHSA-2026:0077 x_refsource_REDHATvendor-advisory

Affected products

libtiff

<4.7.1
*

mingw-libtiff

compat-libtiff3

spice-client-win

rhaiis/vllm-cuda-rhel9

rhaiis/vllm-rocm-rhel9

rhaiis/model-opt-cuda-rhel9

discovery/discovery-ui-rhel9

Matching in nixpkgs

pkgs.libtiff

Library and utilities for working with the TIFF image file format

nixos-unstable 4.7.0
- nixpkgs-unstable 4.7.0
- nixos-unstable-small 4.7.0

Package maintainers

@autra Augustin Trancart <augustin.trancart@gmail.com>
@willcohen Will Cohen
@l0b0 Victor Engmark <victor@engmark.name>
@nh2 Niklas Hambüchen <mail@nh2.me>

Ignored maintainers (3)

@sikmir Nikolay Korotkiy <sikmir@disroot.org>
@nialov Nikolas Ovaskainen <nikolasovaskainen@gmail.com>
@imincik Ivan Mincik <ivan.mincik@gmail.com>

Additional maintainers

@balsoft Alexander Bantyev <balsoft75@gmail.com>