ImageMagick has Stack Buffer Overflow in image.c
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's magick mogrify command, specifying multiple consecutive %d format specifiers in a filename template causes internal pointer arithmetic to generate an address below the beginning of the stack buffer, resulting in a stack overflow through vsnprintf(). Versions 7.1.2-0 and 6.9.13-26 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack buffer underwrite in ImageMagick's InterpretImageFilename(), triggered by consecutive %d specifiers in a filename template, can lead to RCE.
Vulnerability
Overview
CVE-2025-53101 is a buffer underwrite vulnerability (CWE-124) in ImageMagick's InterpretImageFilename() function within MagickCore/image.c [1]. When the magick mogrify command (or other subcommands like convert, identify, etc.) is invoked with a filename template containing multiple consecutive %d format specifiers, internal pointer arithmetic during offset correction produces an address before the stack buffer. This causes vsnprintf() to write into memory below the intended buffer, resulting in a stack overflow [1][2]. The flaw affects all versions prior to 7.1.2-0 and 6.9.13-26 [2].
Exploitation
Exploitation requires the ability to supply a crafted filename template to any affected ImageMagick command, such as mogrify, convert, compare, composite, conjure, identify, or montage [1]. No authentication is intrinsic to the command-line use, but in typical server scenarios (e.g., web applications using ImageMagick), an attacker must control the filename parameter. The vulnerability does not require any special network position beyond the ability to invoke the vulnerable command [1]. Attackers who can control both the options and filenames passed to ImageMagick can trigger the buffer underwrite.
Impact
A successful exploit can corrupt the stack and potentially lead to arbitrary code execution (RCE). The advisory confirms RCE is achievable when ASLR is disabled and a suitable one_gadget is present in libc [1]. This gives an attacker the ability to execute arbitrary commands in the context of the ImageMagick process, which could be used to compromise a system or pivot to further attacks.
Mitigation
The vulnerability has been patched in ImageMagick versions 7.1.2-0 and 6.9.13-26 [2]. The fix is included in Magick.NET 14.7.0, which bundles ImageMagick 7.1.2-0 [4]. Users should upgrade to the patched version immediately. As a workaround, applications should sanitize or restrict filename templates that contain multiple %d specifiers until upgrading is possible [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-HDRI-AnyCPUNuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-HDRI-OpenMP-x64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-HDRI-arm64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-HDRI-x64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-HDRI-x86NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-OpenMP-arm64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-OpenMP-x64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-arm64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-x64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-x86NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q8-AnyCPUNuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q8-OpenMP-arm64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q8-OpenMP-x64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q8-arm64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q8-x64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q8-x86NuGet | < 14.7.0 | 14.7.0 |
Affected products
2<7.1.2-0 and <6.9.13-26+ 1 more
- (no CPE)range: <7.1.2-0 and <6.9.13-26
- (no CPE)range: < 7.1.2-0
Patches
1643deeb60803https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9
1 file changed · +7 −6
magick/image.c+7 −6 modified@@ -1677,7 +1677,6 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, canonical; ssize_t - field_width, offset; canonical=MagickFalse; @@ -1693,21 +1692,23 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, p++; continue; } - field_width=0; - if (*q == '0') - field_width=(ssize_t) strtol(q,&q,10); switch (*q) { case 'd': case 'o': case 'x': { + ssize_t + count; + q++; c=(*q); *q='\0'; - (void) FormatLocaleString(filename+(p-format-offset),(size_t) + count=FormatLocaleString(filename+(p-format-offset),(size_t) (MaxTextExtent-(p-format-offset)),p,value); - offset+=(4-field_width); + if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset)))) + return(0); + offset+=(ssize_t) ((q-p)-count); *q=c; (void) ConcatenateMagickString(filename,q,MaxTextExtent); canonical=MagickTrue;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-qh3h-j545-h8c9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53101ghsaADVISORY
- github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774ghsax_refsource_MISCWEB
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9ghsax_refsource_CONFIRMWEB
- github.com/ImageMagick/ImageMagick6/commit/643deeb60803488373cd4799b24d5786af90972eghsaWEB
- github.com/dlemstra/Magick.NET/releases/tag/14.7.0ghsaWEB
- lists.debian.org/debian-lts-announce/2025/09/msg00012.htmlghsaWEB
News mentions
0No linked articles in our index yet.