diff --git a/libtiff-4.6.0-cve-2025-9900.patch b/libtiff-4.6.0-cve-2025-9900.patch
new file mode 100644
index 0000000..b8f7956
--- /dev/null
+++ b/libtiff-4.6.0-cve-2025-9900.patch
@@ -0,0 +1,51 @@
+From 8c951535e8551e314a66cdff01b83f055a204e8c Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Wed, 11 Jun 2025 19:45:19 +0000
+Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
+ rows at TIFFReadRGBAImageOriented()
+
+---
+ libtiff/tif_getimage.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 41f7dfd..9e94353 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -600,6 +600,22 @@ int TIFFRGBAImageGet(TIFFRGBAImage *img, uint32_t *raster, uint32_t w,
+             "No \"put\" routine setupl; probably can not handle image format");
+         return (0);
+     }
++    /* Verify raster width and height against image width and height. */
++    if (h > img->height)
++    {
++        /* Adapt parameters to read only available lines and put image at
++         * the bottom of the raster. */
++        raster += (size_t)(h - img->height) * w;
++        h = img->height;
++    }
++    if (w > img->width)
++    {
++        TIFFWarningExtR(img->tif, TIFFFileName(img->tif),
++                        "Raster width of %d shall not be larger than image "
++                        "width of %d -> raster width adapted for reading",
++                        w, img->width);
++        w = img->width;
++    }
+     return (*img->get)(img, raster, w, h);
+ }
+ 
+@@ -617,9 +633,7 @@ int TIFFReadRGBAImageOriented(TIFF *tif, uint32_t rwidth, uint32_t rheight,
+     if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg))
+     {
+         img.req_orientation = (uint16_t)orientation;
+-        /* XXX verify rwidth and rheight against width and height */
+-        ok = TIFFRGBAImageGet(&img, raster + (rheight - img.height) * rwidth,
+-                              rwidth, img.height);
++        ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
+         TIFFRGBAImageEnd(&img);
+     }
+     else
+-- 
+2.47.3
+
diff --git a/libtiff.spec b/libtiff.spec
index 52ae64b..a504ac7 100644
--- a/libtiff.spec
+++ b/libtiff.spec
@@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.6.0
-Release:       6%{?dist}
+Release:       7%{?dist}
 License:       libtiff
 URL:           http://www.simplesystems.org/libtiff/
 
@@ -12,6 +12,9 @@ Patch0:        libtiff-am-version.patch
 # from upstream, for <=4.6.0, RHEL-52926
 # https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779
 Patch1:        libtiff-4.6.0-CVE-2024-7006.patch
+# from upstream, for < 4.7.1, RHEL-112523
+# https://gitlab.com/libtiff/libtiff/-/merge_requests/732.diff
+Patch2:        libtiff-4.6.0-cve-2025-9900.patch
 
 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel liblerc-devel
@@ -64,6 +67,7 @@ image files using the libtiff library.
 
 %patch -P 0 -p1 -b .backup
 %patch -P 1 -p1 -b .CVE-2024-7006
+%patch -P 2 -p1 -b .cve-2025-9900
 
 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@@ -162,6 +166,9 @@ LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check
 %{_mandir}/man1/*
 
 %changelog
+* Thu Jan 15 2026 Michal Hlavinka <mhlavink@redhat.com> - 4.6.0-7
+- fix CVE-2025-9900: Out-of-Bounds Write in TIFFReadRGBAImageOriented (RHEL-112523)
+
 * Mon Mar 31 2025 Michal Hlavinka <mhlavink@redhat.com> - 4.6.0-6
 - drop unused compat libtiff.so.5 (RHEL-85372)