Imagemagick: heap use-after-free in coders/bmp.c

Vulnerability

A heap use-after-free vulnerability exists in the BMP decoding routine of ImageMagick, specifically in the ReadBMPImage function within coders/bmp.c. The flaw arises when the decoder processes a specially crafted BMP file where the bmp_info.file_size field is nonzero and exceeds the actual blob size of the image. The code path that triggers the use-after-free is reachable when ImageMagick attempts to read such a malformed BMP file. The fix was introduced in commit aa673b2e4defc7cad5bec16c4fc8324f71e531f1. All versions prior to this patch are affected.

Exploitation

An attacker must provide a crafted BMP file to an application or service using a vulnerable version of ImageMagick. The attacker does not require authentication or special privileges; the attack is triggered by the victim (or an automated process) opening or processing the malicious BMP image. The specific condition is a BMP file where bmp_info.file_size > 0 and (MagickSizeType) bmp_info.file_size > GetBlobSize(image), leading to a heap use-after-free during the decode operation [1][2].

Impact

Successful exploitation results in a heap use-after-free condition, which can lead to application instability (denial of service) or, potentially, arbitrary code execution in the context of the ImageMagick process. The impact depends on heap layout and other factors; the worst-case scenario is remote code execution if the attacker can control the freed memory [1][3].

Mitigation

The fix is available in the ImageMagick commit aa673b2e4defc7cad5bec16c4fc8324f71e531f1 [2]. Users should update to a version that includes this commit or apply the patch manually. Red Hat has also issued tracking bugs for affected Fedora and EPEL packages [3]. As of this publication, there is no evidence of active exploitation in the wild; the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.