diff --git a/SOURCES/RHEL-120239.patch b/SOURCES/RHEL-120239.patch
deleted file mode 100644
index 577ffb5..0000000
--- a/SOURCES/RHEL-120239.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From b61432188838f1f3a6df7096852ac48a0cafd5a0 Mon Sep 17 00:00:00 2001
-From: Lee Howard <faxguy@howardsilvan.com>
-Date: Mon, 19 May 2025 10:53:30 -0700
-Subject: [PATCH] Don't skip the first line of the input image. Addresses issue
- #703
-
----
- tools/tiffdither.c | 4 ++--
- tools/tiffmedian.c | 9 ++++++---
- 2 files changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/tools/tiffdither.c b/tools/tiffdither.c
-index f3f9672..42ad079 100644
---- a/tools/tiffdither.c
-+++ b/tools/tiffdither.c
-@@ -95,7 +95,7 @@ fsdither(TIFF* in, TIFF* out)
- 	nextptr = nextline;
- 	for (j = 0; j < imagewidth; ++j)
- 		*nextptr++ = *inptr++;
--	for (i = 1; i < imagelength; ++i) {
-+	for (i = 0; i < imagelength; ++i) {
- 		tmpptr = thisline;
- 		thisline = nextline;
- 		nextline = tmpptr;
-@@ -138,7 +138,7 @@ fsdither(TIFF* in, TIFF* out)
- 					nextptr[0] += v / 16;
- 			}
- 		}
--		if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
-+		if (TIFFWriteScanline(out, outline, i, 0) < 0)
- 			goto skip_on_error;
- 	}
- 	goto exit_label;
-diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
-index 90c4c6a..8fc2674 100644
---- a/tools/tiffmedian.c
-+++ b/tools/tiffmedian.c
-@@ -386,7 +386,10 @@ get_histogram(TIFF* in, Colorbox* box)
- 	}
- 	for (i = 0; i < imagelength; i++) {
- 		if (TIFFReadScanline(in, inputline, i, 0) <= 0)
--			break;
-+		{
-+			fprintf(stderr, "Error reading scanline\n");
-+			exit(EXIT_FAILURE);
-+		}
- 		inptr = inputline;
- 		for (j = imagewidth; j-- > 0;) {
- 			red = (*inptr++) & 0xff >> COLOR_SHIFT;
-@@ -845,7 +848,7 @@ quant_fsdither(TIFF* in, TIFF* out)
- 	outline = (unsigned char *) _TIFFmalloc(TIFFScanlineSize(out));
- 
- 	GetInputLine(in, 0, goto bad);		/* get first line */
--	for (i = 1; i <= imagelength; ++i) {
-+	for (i = 0; i < imagelength; ++i) {
- 		SWAP(short *, thisline, nextline);
- 		lastline = (i >= imax);
- 		if (i <= imax)
-@@ -916,7 +919,7 @@ quant_fsdither(TIFF* in, TIFF* out)
- 				nextptr += 3;
- 			}
- 		}
--		if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
-+		if (TIFFWriteScanline(out, outline, i, 0) < 0)
- 			break;
- 	}
- bad:
--- 
-2.47.3
-
diff --git a/SOURCES/libtiff-4.4.0-cve-2025-8176.patch b/SOURCES/libtiff-4.4.0-cve-2025-8176.patch
new file mode 100644
index 0000000..2ea9dbf
--- /dev/null
+++ b/SOURCES/libtiff-4.4.0-cve-2025-8176.patch
@@ -0,0 +1,16 @@
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index 354ee94c7a0a79e887bc8f835697b57b737548cb..2c79553be87e655f69690744b574b92c59fa92b5 100644
+--- a/tools/tiffmedian.c
++++ b/tools/tiffmedian.c
+@@ -386,7 +386,10 @@ get_histogram(TIFF* in, Colorbox* box)
+ 	}
+ 	for (i = 0; i < imagelength; i++) {
+ 		if (TIFFReadScanline(in, inputline, i, 0) <= 0)
+-			break;
++		{
++			fprintf(stderr, "Error reading scanline\n");
++			exit(EXIT_FAILURE);
++		}
+ 		inptr = inputline;
+ 		for (j = imagewidth; j-- > 0;) {
+ 			red = (*inptr++) & 0xff >> COLOR_SHIFT;
diff --git a/SOURCES/RHEL-112545.patch b/SOURCES/libtiff-4.4.0-cve-2025-9900.patch
similarity index 63%
rename from SOURCES/RHEL-112545.patch
rename to SOURCES/libtiff-4.4.0-cve-2025-9900.patch
index 58b5d36..d094a32 100644
--- a/SOURCES/RHEL-112545.patch
+++ b/SOURCES/libtiff-4.4.0-cve-2025-9900.patch
@@ -1,22 +1,11 @@
-From 0464ac4b3a332e91b3f10962087f53f0e969ac6a Mon Sep 17 00:00:00 2001
-From: Su Laus <sulau@freenet.de>
-Date: Wed, 11 Jun 2025 19:45:19 +0000
-Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
- rows at TIFFReadRGBAImageOriented()
-
----
- libtiff/tif_getimage.c | 20 +++++++++++++++++---
- 1 file changed, 17 insertions(+), 3 deletions(-)
-
-diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
-index 2eb4672..d243dda 100644
---- a/libtiff/tif_getimage.c
-+++ b/libtiff/tif_getimage.c
-@@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32_t* raster, uint32_t w, uint32_t h)
+diff -up tiff-4.4.0/libtiff/tif_getimage.c.before tiff-4.4.0/libtiff/tif_getimage.c
+--- tiff-4.4.0/libtiff/tif_getimage.c.before	2026-01-18 23:50:18.171737478 +0100
++++ tiff-4.4.0/libtiff/tif_getimage.c	2026-01-18 23:50:18.179737456 +0100
+@@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uin
  		"No \"put\" routine setupl; probably can not handle image format");
  		return (0);
      }
-+    /* Verify raster width and height against image width and height. */
++	/* Verify raster width and height against image width and height. */
 +    if (h > img->height)
 +    {
 +        /* Adapt parameters to read only available lines and put image at
@@ -46,6 +35,3 @@ index 2eb4672..d243dda 100644
  		TIFFRGBAImageEnd(&img);
  	} else {
  		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);
--- 
-2.47.3
-
diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec
index 3843190..4fa6b6f 100644
--- a/SPECS/libtiff.spec
+++ b/SPECS/libtiff.spec
@@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.4.0
-Release:       15%{?dist}.3
+Release:       18%{?dist}
 License:       libtiff
 URL:           http://www.simplesystems.org/libtiff/
 
@@ -43,11 +43,13 @@ Patch23:       libtiff-4.6.0-CVE-2024-7006.patch
 # https://gitlab.com/libtiff/libtiff/-/merge_requests/546.patch
 Patch24:       libtiff-4.4.0-CVE-2023-52356.patch
 Patch25:       libtiff-4.4.0-cve2023-52355.patch
-# CVE-2025-9900, RHEL-112545
-Patch26:       RHEL-112545.patch
-# CVE-2025-8176, RHEL-120239
-Patch27:       RHEL-120239.patch
-# from upstream, for <= 4.7.1, RHEL-159330
+# from upstream, for < 4.7.1, RHEL-112543
+# https://gitlab.com/libtiff/libtiff/-/merge_requests/732.diff
+Patch26:       libtiff-4.4.0-cve-2025-9900.patch
+# frin upstream, for < 4.7.1, RHEL-120238
+# https://gitlab.com/libtiff/libtiff/-/commit/fe10872e53efba9cc36c66ac4ab3b41a839d5172
+Patch27:       libtiff-4.4.0-cve-2025-8176.patch
+# from upstream, for <= 4.7.1, RHEL-159331
 # https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c
 Patch28:       libtiff-4.6.0-CVE-2026-4775.patch
 
@@ -208,16 +210,15 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*
 
 %changelog
-* Mon Apr 20 2026 Michal Hlavinka <mhlavink@redhat.com> - 4.4.0-15.3
-- fix CVE-2026-4775: signed integer overflow in putcontig8bitYCbCr44tile (RHEL-159330)
+* Mon May 11 2026 Michal Hlavinka <mhlavink@redhat.com> - 4.4.0-18
+- rebuild
 
-* Mon Nov 03 2025 RHEL Packaging Agent <jotnar@redhat.com> - 4.4.0-15.2
-- fix CVE-2025-8176: tiffdither and tiffmedian skip first line of input
-  images (RHEL-120239)
+* Thu May 07 2026 Michal Hlavinka <mhlavink@redhat.com> - 4.4.0-15.3
+- fix CVE-2026-4775: signed integer overflow in putcontig8bitYCbCr44tile (RHEL-159331)
 
-* Fri Oct 24 2025 RHEL Packaging Agent <jotnar@redhat.com> - 4.4.0-15.1
-- fix CVE-2025-9900: buffer underflow crash in TIFFReadRGBAImageOriented
-  (RHEL-112545)
+* Sun Jan 18 2026 Michal Hlavinka <mhlavink@redhat.com> - 4.4.0-16
+- fix CVE-2025-9900: Out-of-Bounds Write in TIFFReadRGBAImageOriented (RHEL-112543)
+- fix CVE-2025-8176: use after free in tiffmedian (RHEL-120238)
 
 * Mon May 05 2025 Michal Hlavinka <mhlavink@redhat.com> - 4.4.0-15
 - backport documentation change for CVE-2023-52355 (RHEL-17328)