Fluid Attacks Database

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2 for ImageMagick's 32-bit build, a 32-bit integer overflow in the BMP encoder’s scanline-stride computation collapses bytes_per_line (stride) to a tiny value while the per-row writer still emits 3 × width bytes for 24-bpp images. The row base pointer advances using the (overflowed) stride, so the first row immediately writes past its slot and into adjacent heap memory with attacker-controlled bytes. This is a classic, powerful primitive for heap corruption in common auto-convert pipelines. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	imagemagick	=8:6.9.11.60+dfsg-1.3 \|\| =8:6.9.11.60+dfsg-1.3+deb11u1 \|\| =8:6.9.11.60+dfsg-1.3+deb11u2 \|\| =8:6.9.11.60+dfsg-1.3+deb11u3 \|\| =8:6.9.11.60+dfsg-1.3+deb11u4 \|\| =8:6.9.11.60+dfsg-1.3+deb11u5 \|\| >=0 <8:6.9.11.60+dfsg-1.3+deb11u6	8:6.9.11.60+dfsg-1.3+deb11u6
debian 12	imagemagick	=8:6.9.11.60+dfsg-1.6 \|\| =8:6.9.11.60+dfsg-1.6+deb12u1 \|\| =8:6.9.11.60+dfsg-1.6+deb12u2 \|\| =8:6.9.11.60+dfsg-1.6+deb12u3 \|\| >=0 <8:6.9.11.60+dfsg-1.6+deb12u4	8:6.9.11.60+dfsg-1.6+deb12u4
debian 13	imagemagick	=8:7.1.1.43+dfsg1-1 \|\| =8:7.1.1.43+dfsg1-1+deb13u1 \|\| >=0 <8:7.1.1.43+dfsg1-1+deb13u2	8:7.1.1.43+dfsg1-1+deb13u2
debian 14	imagemagick	=8:7.1.1.43+dfsg1-1 \|\| =8:7.1.1.46+dfsg1-1 \|\| =8:7.1.1.47+dfsg1-1 \|\| =8:7.1.1.47+dfsg1-2 \|\| =8:7.1.2.1+dfsg1-1 \|\| >=0 <8:7.1.2.3+dfsg1-1	8:7.1.2.3+dfsg1-1
nuget	magick.net-q8-anycpu	>=0 <14.8.1	14.8.1
nuget	magick.net-q16-anycpu	>=0 <14.8.1	14.8.1
nuget	magick.net-q16-hdri-anycpu	>=0 <14.8.1	14.8.1
nuget	magick.net-q16-x86	>=0 <14.8.1	14.8.1
nuget	magick.net-q16-hdri-x86	>=0 <14.8.1	14.8.1
nuget	magick.net-q8-x86	>=0 <14.8.1	14.8.1

1-10 of 12

Aliases

1. CVE-2025-578032. NVD-2025-578033. OSV-DEBIAN-2025-578034. OSV-2025-578035. GHSA-mxvv-97wh-cfmm6. GCVE-2025-578037. SECURITY-TRACKER-CVE-2025-578038. lists.debian.org

References

1. https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mxvv-97wh-cfmm2. https://github.com/ImageMagick/ImageMagick/commit/2c55221f4d38193adcb51056c14cf238fbcc35d73. https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.