CVE-2025-46393
Description
ImageMagick before 7.1.1-44 mishandles packet_size in multispectral MIFF processing, potentially leading to heap corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick before 7.1.1-44 mishandles packet_size in multispectral MIFF processing, potentially leading to heap corruption.
Vulnerability
In ImageMagick before version 7.1.1-44, a heap corruption vulnerability exists in the processing of multispectral MIFF (Magick Image File Format) images. The issue stems from incorrect calculation of packet_size in the ReadMIFFImage and WriteMIFFImage functions. Prior to the fix, when image->number_meta_channels was non-zero, packet_size was incorrectly incremented by image->number_meta_channels * image->depth / 8 instead of being recalculated to account for all channels. The correct formula should set packet_size = GetImageChannels(image) * image->depth / 8 to properly size the buffer for reading or writing all channels (including meta channels) in an arbitrary order. The affected versions are ImageMagick prior to 7.1.1-44 [1][2].
Exploitation
An attacker can exploit this vulnerability by crafting a specially crafted multispectral MIFF image file with meta channels. The attacker needs no special privileges beyond the ability to provide this image file to an application using ImageMagick for processing. The application must process the image using the MIFF reading or writing code path (e.g., using ReadMIFFImage or WriteMIFFImage). No user interaction is required beyond opening the file. The flawed packet size calculation leads to a heap buffer that is smaller than required, which may cause out-of-bounds writes when rendering channels in arbitrary order [1][2].
Impact
Successful exploitation can lead to heap corruption, potentially resulting in a denial of service (crash) or arbitrary code execution in the context of the application processing the image. The impact depends on the heap layout and specifics of the application using ImageMagick. As this is a memory corruption vulnerability, the confidentiality, integrity, and availability of the system could be compromised [1][2].
Mitigation
The vulnerability is fixed in ImageMagick version 7.1.1-44, released on 2025-02-22. Users should upgrade to this version or later. The fix is implemented in commit 81ac8a0d2eb21739842ed18c48c7646b7eef65b8 [1][2]. For systems that cannot be immediately updated, users should avoid processing MIFF images from untrusted sources, though this is not a complete workaround as other image formats may also be affected by similar issues (this CVE is specific to the MIFF code path). The advisory is available in the ImageMagick changelog [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8<7.1.1-44+ 1 more
- (no CPE)range: <7.1.1-44
- (no CPE)range: 0
- osv-coords6 versionspkg:apk/chainguard/imagemagick-6pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP6pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP7pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7
< 6.9.13.38-r0+ 5 more
- (no CPE)range: < 6.9.13.38-r0
- (no CPE)range: < 7.1.1.21-150600.3.3.1
- (no CPE)range: < 7.1.1.21-150600.3.3.1
- (no CPE)range: < 7.1.0.9-150400.6.30.1
- (no CPE)range: < 7.1.1.21-150600.3.3.1
- (no CPE)range: < 7.1.1.43-150700.3.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The calculation of packet_size for multispectral MIFF images does not correctly account for all channels, leading to incorrect memory allocation."
Attack vector
An attacker can trigger this vulnerability by providing a specially crafted multispectral MIFF image to ImageMagick. The mishandling of packet_size during the rendering of image channels can lead to memory corruption. This corruption may be exploitable to achieve arbitrary code execution or a denial-of-service condition.
Affected code
The vulnerability resides in the `ReadMIFFImage` and `WriteMIFFImage` functions within ImageMagick. Specifically, the logic for calculating `packet_size` is affected, as shown in the provided commit diff [ref_id=1]. The incorrect calculation occurs when processing multispectral MIFF images.
What the fix does
The patch modifies the calculation of `packet_size` within the `ReadMIFFImage` and `WriteMIFFImage` functions. Previously, `packet_size` was incremented by `image->number_meta_channels * image->depth / 8` when `image->number_meta_channels` was not zero. The fix changes this to `packet_size = GetImageChannels(image) * image->depth / 8`, ensuring that the packet size correctly accounts for all image channels, thus preventing memory corruption.
Preconditions
- inputThe attacker must provide a malicious multispectral MIFF image file.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.