CVE-2025-9900: 
CBL Mariner vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-9900) was discovered in LibTIFF version 4.7.0, identified as a 'write-what-where' condition that occurs when processing specially crafted TIFF image files. The vulnerability was disclosed on September 23, 2025, affecting the TIFFReadRGBAImageOriented() function in the library. This security flaw impacts systems and applications that use the LibTIFF library for processing TIFF images (Red Hat CVE, NVD).

The vulnerability exists in the raster decoding logic of LibTIFF, specifically when processing paletted (indexed color) images with malformed metadata. The issue occurs in the TIFFReadRGBAImageOriented() function, which computes a pointer offset into the raster buffer using the formula: raster + (rheight - img.height) * rwidth. When an attacker supplies a very large value for img.height and a valid rheight, it results in a large positive offset, causing the raster pointer to point beyond the allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Github POC, NVD).

The vulnerability can lead to memory corruption, potentially resulting in denial of service (application crash) or arbitrary code execution with the permissions of the user running the application. The attacker can control both the write address through the offset calculation from img.height and the written value through manipulation of the image's color palette (NVD, Github POC).

The vulnerability has been fixed in LibTIFF version 4.7.1, released on September 18, 2025. Users are advised to upgrade to this version. The fix addresses the buffer underflow crash in TIFFReadRGBAImageOriented(). Major Linux distributions including Ubuntu have released security updates to address this vulnerability (Ubuntu Security, Openwall).