๐Ÿ” CVE Alert

CVE-2025-9900

HIGH 8.8

Libtiff: libtiff write-what-where

CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
11th

A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.

CWE CWE-123
Published Sep 23, 2025
Last Updated Apr 13, 2026
Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new high vulnerabilities are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

Red Hat / Red Hat Enterprise Linux 10
All versions affected
Red Hat / Red Hat Enterprise Linux 10
All versions affected
Red Hat / Red Hat Enterprise Linux 7 Extended Lifecycle Support
All versions affected
Red Hat / Red Hat Enterprise Linux 7 Extended Lifecycle Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8
All versions affected
Red Hat / Red Hat Enterprise Linux 8
All versions affected
Red Hat / Red Hat Enterprise Linux 8
All versions affected
Red Hat / Red Hat Enterprise Linux 8.2 Advanced Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8.2 Advanced Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8.2 Advanced Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On
All versions affected
Red Hat / Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On
All versions affected
Red Hat / Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On
All versions affected
Red Hat / Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8.6 Telecommunications Update Service
All versions affected
Red Hat / Red Hat Enterprise Linux 8.6 Telecommunications Update Service
All versions affected
Red Hat / Red Hat Enterprise Linux 8.6 Telecommunications Update Service
All versions affected
Red Hat / Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
All versions affected
Red Hat / Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
All versions affected
Red Hat / Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
All versions affected
Red Hat / Red Hat Enterprise Linux 8.8 Telecommunications Update Service
All versions affected
Red Hat / Red Hat Enterprise Linux 8.8 Telecommunications Update Service
All versions affected
Red Hat / Red Hat Enterprise Linux 8.8 Telecommunications Update Service
All versions affected
Red Hat / Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
All versions affected
Red Hat / Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
All versions affected
Red Hat / Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
All versions affected
Red Hat / Red Hat Enterprise Linux 9
All versions affected
Red Hat / Red Hat Enterprise Linux 9
All versions affected
Red Hat / Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
All versions affected
Red Hat / Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
All versions affected
Red Hat / Red Hat Enterprise Linux 9.4 Extended Update Support
All versions affected
Red Hat / Red Hat AI Inference Server 3.2
All versions affected
Red Hat / Red Hat AI Inference Server 3.2
All versions affected
Red Hat / Red Hat AI Inference Server 3.2
All versions affected
Red Hat / Red Hat AI Inference Server 3.2
All versions affected
Red Hat / Red Hat AI Inference Server 3.2
All versions affected
Red Hat / Red Hat Discovery 2
All versions affected
Red Hat / Red Hat Enterprise Linux 6
All versions affected
Red Hat / Red Hat Hardened Images
All versions affected

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
access.redhat.com: https://access.redhat.com/errata/RHSA-2025:17651 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:17675 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:17710 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:17738 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:17739 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:17740 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19113 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19156 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19276 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19906 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19947 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:20956 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:20998 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:21060 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:21061 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:21062 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:21407 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:21506 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:21507 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:21508 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:21994 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:23078 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:23079 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:23080 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:0001 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:0076 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:0077 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:0078 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3461 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3462 access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-9900 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2392784 github.com: https://github.com/SexyShoelessGodofWar/LibTiff-4.7.0-Write-What-Where?tab=readme-ov-file gitlab.com: https://gitlab.com/libtiff/libtiff/-/issues/704 gitlab.com: https://gitlab.com/libtiff/libtiff/-/merge_requests/732 libtiff.gitlab.io: https://libtiff.gitlab.io/libtiff/releases/v4.7.1.html lists.debian.org: https://lists.debian.org/debian-lts-announce/2025/09/msg00031.html openwall.com: http://www.openwall.com/lists/oss-security/2025/09/26/3

Credits

Red Hat would like to thank Gareth C (AnchorSec Ltd.) for reporting this issue.