CVE-2025-8851: 
NixOS vulnerability analysis and mitigation

A stack-based buffer overflow vulnerability (CVE-2025-8851) was discovered in LibTIFF versions up to 4.5.1. The vulnerability specifically affects the readSeparateStripsetoBuffer function within the tools/tiffcrop.c file of the tiffcrop component. The issue was discovered on August 11, 2025, and requires local access to exploit (NVD).

The vulnerability is classified as a stack-based buffer overflow (CWE-121) and improper restriction of operations within memory buffer bounds (CWE-119). It has received a CVSS v3.1 base score of 5.3 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. The vulnerability requires local access with low attack complexity and low privileges, requiring no user interaction (NVD, Snyk).

The exploitation of this vulnerability could lead to limited loss of confidentiality, integrity, and availability. While the attacker doesn't have full control over the consequences, they can potentially cause data modification and service interruptions. The impact is considered moderate as the resources remain partially available, though performance may be reduced (Snyk).

A patch has been identified (commit 8a7a48d7a645992ca83062b3a1873c951661e2b3) and is available for affected systems. Users are recommended to upgrade to LibTIFF version 4.5.1+git230720-4ubuntu2.3 or higher. Ubuntu has released security updates for affected versions across multiple releases, including 25.04, 24.04 LTS, 22.04 LTS, and others (Ubuntu Security Notice).