ImageMagick: heap-buffer overflow read in MNG magnification with alpha

Vulnerability

Overview

CVE-2025-55004 is a heap-buffer overflow read vulnerability in ImageMagick, affecting versions prior to 7.1.2-1. The bug resides in the ReadOneMNGImage function within coders/png.c and is triggered during image magnification (MAGN chunk) when handling images that have a separate alpha channel (color type >= 12) [1]. The root cause is a mismatch between the allocated buffer size for intermediate pixel rows and the actual number of channels after the alpha channel is dynamically added to the image's channel map [1].

Exploitation

Details

An attacker can exploit this by crafting a malicious MNG file that includes a JPEG image with a separate alpha channel and a MAGN chunk. When ImageMagick processes this file, the alpha channel is loaded but the GetAuthenticPixels call that updates the channel map may not occur until after the intermediate buffers next and prev are allocated based on the old channel count [1]. Subsequent pixel reads using GetPixelXXX macros assume the larger channel layout, causing reads beyond the allocated buffer boundaries [1]. The provided proof-of-concept generates such an MNG file and is not blocked by default security policies [1].

Impact

This heap-buffer overflow read can likely be used to leak subsequent memory contents into the output image, potentially exposing sensitive information from the process's address space [1][3]. The vulnerability does not require authentication and can be triggered remotely by processing a crafted file.

Mitigation

The issue has been patched in ImageMagick version 7.1.2-1 [1][3]. Users should update to this version or later. For environments using ImageMagick for image processing should apply the update promptly. The Magick.NET wrapper also addressed this in version 14.8.0 [4].