diff --git a/compat-libtiff3.spec b/compat-libtiff3.spec
index 7f8e084ce876904bb9a75a4e0258b0126d0d9eff..0031ad76a96629da5def11a1029dd86f84d91403 100644
--- a/compat-libtiff3.spec
+++ b/compat-libtiff3.spec
@@ -1,7 +1,7 @@
 Summary: Compatibility package for libtiff 3
 Name: compat-libtiff3
 Version: 3.9.4
-Release: 12%{?dist}
+Release: 12%{?dist}.1
 
 License: libtiff
 Group: System Environment/Libraries
@@ -37,6 +37,7 @@ Patch30: libtiff-CVE-2013-4232.patch
 Patch31: libtiff-CVE-2013-4244.patch
 Patch32: libtiff-CVE-2013-4243.patch
 Patch33: libtiff-CVE-2018-7456.patch
+Patch34: libtiff-CVE-2025-9900.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: zlib-devel libjpeg-devel
@@ -82,6 +83,7 @@ to use the current version of libtiff.
 %patch31 -p1
 %patch32 -p1
 %patch33 -p1
+%patch34 -p1
 
 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@@ -126,6 +128,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libtiffxx.so.*
 
 %changelog
+* Wed Dec 03 2025 zhuhongbo <zhuhongbo@uniontech.com> - 3.9.4-12.1
+- cve: fix cve CVE-2025-9900 
+
 * Mon May 28 2018 Nikola Forró <nforro@redhat.com> - 3.9.4-12
 - Fix CVE-2018-7456
 - Resolves: #1561319
diff --git a/libtiff-CVE-2025-9900.patch b/libtiff-CVE-2025-9900.patch
new file mode 100644
index 0000000000000000000000000000000000000000..78e22b474d34a658fb3d160e1244d7fb7a9c937b
--- /dev/null
+++ b/libtiff-CVE-2025-9900.patch
@@ -0,0 +1,50 @@
+From 918ef83ad7fdb233a5ac922444bdd5e841760d41 Mon Sep 17 00:00:00 2001
+From: zhuhongbo <zhuhongbo@uniontech.com>
+Date: Fri, 5 Dec 2025 17:03:16 +0800
+Subject: [PATCH] fix cve CVE-2025-9900
+
+---
+ libtiff/tif_getimage.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 6db0a4b..242f816 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -458,6 +458,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 		"No \"put\" routine setupl; probably can not handle image format");
+ 		return (0);
+     }
++    /* Verify raster width and height against image width and height. */
++    if (h > img->height)
++    {
++        /* Adapt parameters to read only available lines and put image at
++         * the bottom of the raster. */
++        raster += (size_t)(h - img->height) * w;
++        h = img->height;
++    }
++    if (w > img->width)
++    {
++        TIFFWarningExt(img->tif->tif_clientdata, TIFFFileName(img->tif),
++                        "Raster width of %d shall not be larger than image "
++                        "width of %d -> raster width adapted for reading",
++                        w, img->width);
++        w = img->width;
++    }
+     return (*img->get)(img, raster, w, h);
+ }
+ 
+@@ -476,9 +492,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
+ 
+ 	if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
+ 		img.req_orientation = orientation;
+-		/* XXX verify rwidth and rheight against width and height */
+-		ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
+-			rwidth, img.height);
++        ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
+ 		TIFFRGBAImageEnd(&img);
+ 	} else {
+ 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);
+-- 
+2.39.3
+