CVE-2025-9900: 
Rocky Linux vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-9900) was discovered in Libtiff 4.7.0, identified as a 'write-what-where' condition. The flaw is triggered when the library processes a specially crafted TIFF image file with abnormally large image height values in the file's metadata. The vulnerability was disclosed on September 23, 2025, affecting the TIFFReadRGBAImageOriented() function in the Libtiff library (NVD, Red Hat).

The vulnerability exists in the raster decoding logic of Libtiff, specifically when processing paletted images with malformed metadata. The issue occurs in the TIFFReadRGBAImageOriented() function, which computes a pointer offset into the raster buffer using the formula: raster + (rheight - img.height) * rwidth. When an attacker supplies a large value for img.height (e.g., 0xFFFF) and a valid rheight (e.g., 256), the computation results in a large positive offset, causing the raster pointer to point beyond the allocated buffer. The vulnerability has received a CVSS v3.1 base score of 8.8 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Github POC, Snyk).

The vulnerability can be exploited to cause memory corruption, leading to denial of service (application crash) or potential arbitrary code execution with the permissions of the user running the application. The attacker has control over both the write address through the offset calculation and the written value through the image's color palette data (NVD, Github POC).

The vulnerability has been fixed in Libtiff version 4.7.1, released on September 18, 2025. Users are advised to upgrade to this version or later. The fix addresses the buffer underflow crash in TIFFReadRGBAImageOriented(). For Ubuntu users, version 4.0.9-5ubuntu0.10+esm9 or higher contains the necessary security fixes (Snyk).