vulnerability
Amazon Linux 2023: CVE-2025-9900: Important priority package update for libtiff
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Sep 22, 2025 | Oct 16, 2025 | Oct 16, 2025 |
Severity
9
CVSS
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Published
Sep 22, 2025
Added
Oct 16, 2025
Modified
Oct 16, 2025
Description
A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file.
By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.
By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.
Solutions
amazon-linux-2023-upgrade-libtiffamazon-linux-2023-upgrade-libtiff-debuginfoamazon-linux-2023-upgrade-libtiff-debugsourceamazon-linux-2023-upgrade-libtiff-develamazon-linux-2023-upgrade-libtiff-staticamazon-linux-2023-upgrade-libtiff-toolsamazon-linux-2023-upgrade-libtiff-tools-debuginfo
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.