Skip to main content

LibTIFF CVE-2025-8176

LOW
Buffer Overflow (CWE-119)
2025-07-26 cna@vuldb.com
Buffer Overflow Denial Of Service Libtiff
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:30 vuln.today

DescriptionCVE.org

A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as critical. This vulnerability affects the function get_histogram of the file tools/tiffmedian.c. The manipulation leads to use after free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a patch to fix this issue.

AnalysisAI

Use-after-free vulnerability in LibTIFF up to version 4.7.0 affects the get_histogram function in tiffmedian.c, allowing local authenticated attackers to cause denial of service or limited data corruption. Despite a critical severity declaration and publicly available exploit code, the CVSS 4.0 vector assigns a low score (1.9) due to local-only access requirements, high attack complexity constraints, and limited impact scope; EPSS places real exploitation probability at 0.03%, suggesting this remains a low-priority issue in typical deployments.

Technical ContextAI

LibTIFF is a widely-used image processing library for handling Tagged Image File Format (TIFF) files, commonly embedded in applications that process image data. The vulnerability exists in tiffmedian.c, a utility tool within LibTIFF's toolkit, specifically in the get_histogram function which processes histogram data from TIFF files. The root cause is classified under CWE-119 (improper restriction of operations within the bounds of a memory buffer), manifesting as a use-after-free condition where memory is accessed after it has been freed. This memory safety flaw can occur when processing specially crafted TIFF files, potentially leading to information disclosure or denial of service depending on memory layout and exploitation context.

RemediationAI

Apply the vendor-released patch identified by commit fe10872e53efba9cc36c66ac4ab3b41a839d5172 from the LibTIFF GitLab repository (https://gitlab.com/libtiff/libtiff/-/commit/fe10872e53efba9cc36c66ac4ab3b41a839d5172). Upgrade to LibTIFF version 4.7.1 or later when released, or pull the latest development branch. For systems unable to immediately patch, implement filesystem-level access controls restricting which local users can invoke the tiffmedian utility tool (e.g., via file permissions or AppArmor/SELinux policy); this eliminates PR:L (low-privilege local user) attack surface if only trusted administrators run TIFF processing. Verify that embedded LibTIFF instances in third-party applications are updated, as security updates to the base library may not automatically propagate. Test patched builds with locally-stored TIFF files from the GitLab issue #707 to confirm the use-after-free condition is resolved before full deployment.

Share

CVE-2025-8176 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy