CVE-2020-25663
Description
A heap-use-after-free or heap-buffer-overflow read in ImageMagick's SetImageAlphaChannel() can cause denial of service when processing a crafted image.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-use-after-free or heap-buffer-overflow read in ImageMagick's SetImageAlphaChannel() can cause denial of service when processing a crafted image.
Vulnerability
A heap-use-after-free or heap-buffer-overflow READ vulnerability exists in ImageMagick's SetImageAlphaChannel() routine in /MagickCore/channel.c. The bug is triggered when ConformPixelInfo() is called, causing subsequent calls to GetPixelRed() or GetPixelBlue() in pixel-accessor.h to read from freed or out-of-bounds heap memory. This flaw affects ImageMagick versions prior to 7.0.9-0.
Exploitation
An attacker can exploit the vulnerability by submitting a specially crafted image file (PoC) to be processed by ImageMagick with specific command-line options such as -despeckle -flip -monochrome -alpha Shape [1][2]. No authentication or special privileges are required, as the attacker only needs to provide the malicious image to a user or service that processes it with vulnerable ImageMagick versions.
Impact
Successful exploitation leads to a denial of service (DoS) due to a heap-use-after-free or heap-buffer-overflow read. The memory is used as pixel data and not as a function pointer, so code execution is unlikely [3]. The read of freed memory causes unpredictable behavior, typically resulting in a crash.
Mitigation
The vulnerability is fixed in ImageMagick version 7.0.9-0 and later [3]. Users should upgrade to the patched version or apply the update from their vendor. For Red Hat Enterprise Linux 5, 6, and 7, this flaw is out of support scope [3]. No workaround is available other than avoiding the processing of untrusted images with vulnerable versions.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- ImageMagick/ImageMagickdescription
- Range: <7.0.9-0
- osv-coords4 versionspkg:apk/chainguard/imagemagick-6pkg:apk/chainguard/imagemagick-6-devpkg:apk/chainguard/imagemagick-6-docpkg:apk/chainguard/imagemagick-6-static
< 0+ 3 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Use-after-free in SetImageAlphaChannel() where ConformPixelInfo() frees the pixel cache but the function continues to read from the freed memory via GetPixelRed()/GetPixelBlue()."
Attack vector
An attacker submits a crafted image file that, when processed with a command such as `magick $PoC -despeckle -flip -monochrome -alpha Shape tmp.rla`, triggers the vulnerable code path [ref_id=1]. The `-alpha Shape` option invokes `SetImageAlphaChannel()`, which calls `ConformPixelInfo()` — that call frees the pixel cache, but the function subsequently reads from the freed memory via `GetPixelRed()` or `GetPixelBlue()` [ref_id=3]. The attacker needs no special privileges beyond the ability to supply a malicious image to ImageMagick.
Affected code
The bug is in `SetImageAlphaChannel()` in `/MagickCore/channel.c`. At line 1294, a call to `ConformPixelInfo()` (in `/MagickCore/pixel.c`) frees the pixel cache via `RelinquishPixelCachePixels`, but the function then continues to read from the freed pixel data at line 1298 via `GetPixelIntensity` → `GetPixelRed` in `/MagickCore/pixel-accessor.h:378` [ref_id=1][ref_id=3].
What the fix does
No patch is included in the bundle. The advisory [ref_id=3] states the flaw affects ImageMagick versions prior to 7.0.9-0, implying the fix was applied in that release. The remediation would need to ensure that after `ConformPixelInfo()` reallocates or frees the pixel cache, `SetImageAlphaChannel()` does not continue to use stale pixel pointers — either by re-acquiring the pixel cache reference after the call or by restructuring the logic to avoid the use-after-free.
Preconditions
- inputAttacker must supply a malicious image file that triggers the vulnerable code path
- inputThe image must be processed with options that invoke SetImageAlphaChannel (e.g., -alpha Shape)
- authNo authentication or special privileges required beyond access to ImageMagick processing
Reproduction
Run the following command with a crafted PoC file: `magick $PoC -despeckle -flip -monochrome -alpha Shape tmp.rla` [ref_id=1]. The PoC file is referenced in the issue but not included in the bundle.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- bugzilla.redhat.com/show_bug.cgimitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1723mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1723mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.