VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 13, 2025· Updated Aug 13, 2025

ImageMagick Undefined Behavior (function-type-mismatch) in CloneSplayTree

CVE-2025-55160

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1, there is undefined behavior (function-type-mismatch) in splay tree cloning callback. This results in a deterministic abort under UBSan (DoS in sanitizer builds), with no crash in a non-sanitized build. This issue has been patched in versions 6.9.13-27 and 7.1.2-1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A function-type-mismatch undefined behavior in ImageMagick's splay tree cloning callback causes deterministic abort under UBSan, with no crash in normal builds.

Root

Cause

In ImageMagick versions prior to 6.9.13-27 and 7.1.2-1, the CloneSplayTree function uses a callback with an incorrect function signature, leading to undefined behavior classified as a function-type-mismatch [1][2]. This flaw exists in the splay tree implementation within MagickCore/splay-tree.c [3].

Attack

Vector

The vulnerability is triggered by processing a minimal, specially crafted 2-byte input through MagickWand's coalesce operation [3]. No authentication is required, as ImageMagick often processes user-supplied images in web services or desktop applications. The attack surface is limited to sanitizer-enabled builds (e.g., those compiled with UndefinedBehaviorSanitizer), where the mismatch is detected and causes a deterministic abort [2][3]. In non-sanitized builds, the code executes without visible crash [2].

Impact

Under UBSan, an attacker can cause a denial-of-service (DoS) condition by providing the malicious 2-byte input, which will abort the process [2][3]. The advisory notes that the security impact is likely low in production environments because typical builds do not use sanitizers, and no crash occurs without them [2][3].

Mitigation

The issue has been patched in ImageMagick versions 6.9.13-27 and 7.1.2-1 [1][2]. Users should update to these versions or later. The .NET binding Magick.NET has also released version 14.8.0 which includes this fix [4].

References
  1. GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
  2. NVD - CVE-2025-55160
  3. Undefined Behavior (function-type-mismatch) in CloneSplayTree
  4. Release Magick.NET 14.8.0 · dlemstra/Magick.NET

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Magick.NET-Q16-AnyCPUNuGet
< 14.8.014.8.0
Magick.NET-Q16-HDRI-AnyCPUNuGet
< 14.8.014.8.0
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet
< 14.8.014.8.0
Magick.NET-Q16-HDRI-OpenMP-x64NuGet
< 14.8.014.8.0
Magick.NET-Q16-HDRI-arm64NuGet
< 14.8.014.8.0
Magick.NET-Q16-HDRI-x64NuGet
< 14.8.014.8.0
Magick.NET-Q16-HDRI-x86NuGet
< 14.8.014.8.0
Magick.NET-Q16-OpenMP-arm64NuGet
< 14.8.014.8.0
Magick.NET-Q16-OpenMP-x64NuGet
< 14.8.014.8.0
Magick.NET-Q16-arm64NuGet
< 14.8.014.8.0
Magick.NET-Q16-x64NuGet
< 14.8.014.8.0
Magick.NET-Q16-x86NuGet
< 14.8.014.8.0
Magick.NET-Q8-AnyCPUNuGet
< 14.8.014.8.0
Magick.NET-Q8-OpenMP-arm64NuGet
< 14.8.014.8.0
Magick.NET-Q8-OpenMP-x64NuGet
< 14.8.014.8.0
Magick.NET-Q8-arm64NuGet
< 14.8.014.8.0
Magick.NET-Q8-x64NuGet
< 14.8.014.8.0
Magick.NET-Q8-x86NuGet
< 14.8.014.8.0

Affected products

2
  • ImageMagick/Imagemagickllm-fuzzy2 versions
    <6.9.13-27, <7.1.2-1+ 1 more
    • (no CPE)range: <6.9.13-27, <7.1.2-1
    • (no CPE)range: < 6.9.13-27

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.