Introduction
Remote code execution and denial of service attacks are possible on any system that processes untrusted TIFF images using LibTIFF. This vulnerability has direct impact on document management systems, web platforms, and any application that relies on LibTIFF for image parsing. The flaw can be triggered by a specially crafted image file, requiring only minimal user interaction such as opening or processing the file.
LibTIFF is a foundational open-source library for handling TIFF images. It is embedded in a wide range of software, from imaging suites and scientific applications to web services and operating systems. Its broad adoption means vulnerabilities can cascade across many products and industries.
Technical Information
CVE-2025-9900 is a write-what-where vulnerability classified under CWE-123. The issue is triggered when LibTIFF processes a TIFF file containing an abnormally large image height value in its metadata. This leads to improper pointer arithmetic and memory access violations, allowing attacker-controlled color data to be written to arbitrary memory locations.
The root cause is LibTIFF's failure to properly validate the image height parameter during internal calculations. When a maliciously large value is supplied, integer overflows or pointer miscalculations occur. This enables the attacker to control both the destination address and the data being written. The most likely exploitation paths involve overwriting function pointers, return addresses, or other critical memory structures, leading to denial of service or arbitrary code execution with the privileges of the affected process.
Public research and analysis have demonstrated that exploitation can be achieved by manipulating register values during TIFF parsing. For example, attackers can control the target address (e.g., via RAX) and the payload data (e.g., via RCX) during the vulnerable memory write operation. The attack vector is network-based and can be triggered by opening or processing a malicious TIFF file, whether through direct user interaction or automated processing systems.
No code snippets from the vulnerable source are included here, but detailed technical writeups and proof-of-concept code are available in the references.
Patch Information
To address the heap-based buffer overflow vulnerability identified as CVE-2017-17095 in the pal2rgb tool of the libtiff package, Red Hat has released an updated version of libtiff for Red Hat Enterprise Linux 8. This update, detailed in RHSA-2025:4658, upgrades the libtiff package to version 4.0.9-34.el8_10. (lists.suse.com)
The vulnerability was due to improper handling of certain TIFF files, leading to potential denial of service. The patch corrects this by implementing additional checks and validations within the pal2rgb tool to prevent buffer overflows. Users are advised to update their libtiff packages to this latest version to mitigate the risk associated with this vulnerability.
Affected Systems and Versions
- LibTIFF up to and including version 4.7.0 is affected
- All platforms and products embedding LibTIFF versions prior to the patched release are vulnerable
- The vulnerability is present in any configuration where LibTIFF processes untrusted TIFF files
Vendor Security History
LibTIFF has a long history of memory corruption and overflow vulnerabilities. According to CVE statistics, there have been 63 overflow and 38 memory corruption issues reported in recent years. Notable years include 2017 and 2023, with 19 and 14 overflow vulnerabilities respectively. Vendor response times have varied, but some critical issues have been patched within weeks. The project is maintained by a volunteer community, and its widespread use means vulnerabilities can have broad and cascading effects.