CVE-2025-57803

ImageMagick (WriteBMPImage): 32-bit integer overflow when writing BMP scanline stride → heap buffer overflow

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2 for ImageMagick's 32-bit build, a 32-bit integer overflow in the BMP encoder’s scanline-stride computation collapses bytes_per_line (stride) to a tiny value while the per-row writer still emits 3 × width bytes for 24-bpp images. The row base pointer advances using the (overflowed) stride, so the first row immediately writes past its slot and into adjacent heap memory with attacker-controlled bytes. This is a classic, powerful primitive for heap corruption in common auto-convert pipelines. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

ImageMagick es un software gratuito y de código abierto que se utiliza para editar y manipular imágenes digitales. Antes de las versiones 6.9.13-28 y 7.1.2-2 de la compilación de 32 bits de ImageMagick, un desbordamiento de entero de 32 bits en el cálculo del paso de línea de escaneo del codificador BMP reducía el valor de bytes_per_line (paso) a un valor minúsculo, mientras que el escritor por fila seguía emitiendo 3 bytes de ancho para imágenes de 24 bpp. El puntero de base de fila avanza utilizando el paso (desbordado), por lo que la primera fila escribe inmediatamente más allá de su ranura y en la memoria del montón adyacente con bytes controlados por el atacante. Esta es una primitiva clásica y potente para la corrupción del montón en las canalizaciones de autoconversión comunes. Este problema se ha corregido en las versiones 6.9.13-28 y 7.1.2-2.

A flaw was found in ImageMagick. In 32-bit builds, the Bitmap encoder miscalculates the stride value when processing images with very large with. Mathematically, the stride value is calculated as width multiplied by 3 but the theoretical limit of such value is 2^32 for 32-bit integers. So, if this value is exceeded, the encoder uses modulo to convert it down and then takes the smaller value as the actual stride length. This is problematic because the pixel data starts to overlap when being added to the buffer due to the small stride value messing up the rows. This heap buffer overflow allows an attacker to cause a denial of service or, with crafted input, potentially execute arbitrary code.

This update for ImageMagick fixes the following issues. Fixed heap buffer over-read in in ReadOneMNGIMage when processing images with separate alpha channels. Fixed heap buffer overflow when transforming from Log to sRGB colorspaces. Fixed integer overflow when performing magnified size calculations in ReadOneMNGIMage. Fixed undefined behavior due to function-type-mismatch in CloneSplayTree. Fixed division-by-zero in ThumbnailImage when passing a geometry string containing only a colon to 'montage -geometry'. Fixed heap overflow due to format string bug vulnerability. Fixed heap out-of-bounds write due to 32-bit integer overflow. Fixed output file placeholders.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2025-08-20 CVE Reserved
2025-08-26 CVE Published
2025-09-02 CVE Updated
2025-09-02 First Exploit
2025-10-20 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-122: Heap-based Buffer Overflow
CWE-190: Integer Overflow or Wraparound

CAPEC

References (5)

URL	Tag	Source
https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1	Release Notes

URL	Date	SRC
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mxvv-97wh-cfmm	2025-09-02

URL	Date	SRC
https://github.com/ImageMagick/ImageMagick/commit/2c55221f4d38193adcb51056c14cf238fbcc35d7	2025-08-26

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2025-57803	2025-09-22
https://bugzilla.redhat.com/show_bug.cgi?id=2391093	2025-09-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Imagemagick Search vendor "Imagemagick"		Imagemagick Search vendor "Imagemagick" for product "Imagemagick"				< 6.9.13-28 Search vendor "Imagemagick" for product "Imagemagick" and version " < 6.9.13-28"		-		Affected
Imagemagick Search vendor "Imagemagick"		Imagemagick Search vendor "Imagemagick" for product "Imagemagick"				>= 7.0.0-0 < 7.1.2-2 Search vendor "Imagemagick" for product "Imagemagick" and version " >= 7.0.0-0 < 7.1.2-2"		-		Affected