High severityNVD Advisory· Published Dec 10, 2025· Updated Dec 11, 2025

ImageMagick is vulnerable to an Integer Overflow in TIM decoder leading to out of bounds read (32-bit only)

CVE-2025-66628

Description

ImageMagick is a software suite to create, edit, compose, or convert bitmap images. In versions 7.1.2-9 and prior, the TIM (PSX TIM) image parser contains a critical integer overflow vulnerability in its ReadTIMImage function (coders/tim.c). The code reads width and height (16-bit values) from the file header and calculates image_size = 2 * width * height without checking for overflow. On 32-bit systems (or where size_t is 32-bit), this calculation can overflow if width and height are large (e.g., 65535), wrapping around to a small value. This results in a small heap allocation via AcquireQuantumMemory and later operations relying on the dimensions can trigger an out of bounds read. This issue is fixed in version 7.1.2-10.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Integer overflow in ImageMagick TIM parser triggers OOB read on 32-bit systems, fixed in 7.1.2-10.

Vulnerability

Overview

The TIM (PSX TIM) image parser in ImageMagick versions 7.1.2-9 and prior contains an integer overflow vulnerability in the ReadTIMImage function within coders/tim.c. The code reads 16-bit width and height values from the file header and calculates image_size = 2 * width * height without any overflow check [2]. On 32-bit systems (or where size_t is 32-bit), this calculation can overflow if width and height are large (e.g., 65535), wrapping around to a small value [2].

Exploitation

Details

The overflow leads to a small heap allocation via AcquireQuantumMemory, as the computed image_size is far smaller than expected. Subsequent operations that rely on the original width and height dimensions can then read beyond the allocated buffer, resulting in an out-of-bounds read [2]. Exploitation requires only the ability to supply a crafted TIM image file; no special authentication or privileges are needed beyond accessing ImageMagick's processing pipeline.

Impact

An attacker can achieve arbitrary memory disclosure through the out-of-bounds read, potentially leaking sensitive information from the process's address space [2]. The vulnerability is limited to 32-bit platforms and is not exploitable on 64-bit systems due to the larger size_t preventing overflow.

Mitigation

The issue is fixed in ImageMagick version 7.1.2-10, which was released on 2025-12-07 [3]. Users should update to the latest version. For environments where immediate patching is not possible, consider using a security policy to restrict or disable TIM file processing, or run ImageMagick on 64-bit systems where the overflow does not occur.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Magick.NET-Q16-AnyCPUNuGet	< 14.10.0	14.10.0
Magick.NET-Q16-HDRI-AnyCPUNuGet	< 14.10.0	14.10.0
Magick.NET-Q16-HDRI-x86NuGet	< 14.10.0	14.10.0
Magick.NET-Q16-x86NuGet	< 14.10.0	14.10.0
Magick.NET-Q8-AnyCPUNuGet	< 14.10.0	14.10.0
Magick.NET-Q8-x86NuGet	< 14.10.0	14.10.0

Affected products

ImageMagick/Imagemagickllm-fuzzy2 versions
<=7.1.2-9+ 1 more
- (no CPE)range: <=7.1.2-9
- (no CPE)range: < 7.1.2-10

Patches

2dfa08e15cfd

Updated Magick.Native.

https://github.com/dlemstra/Magick.NETDirk LemstraDec 7, 2025via ghsa

commit

3 files changed · +4 −4

src/Magick.Native/libraries.md+2 −2 modified

@@ -1,7 +1,7 @@
 # Libraries
-Magick.Native [5d2a98803d7c9286e7ebabaf3b909864b602279d](https://github.com/dlemstra/Magick.Native/commit/5d2a98803d7c9286e7ebabaf3b909864b602279d) is build with the following libraries:
+Magick.Native [ba9e60dcbf40eee1ea1ab83313a8a86bebadaf60](https://github.com/dlemstra/Magick.Native/commit/ba9e60dcbf40eee1ea1ab83313a8a86bebadaf60) is build with the following libraries:
 
-- ImageMagick 7.1.2-10 (Beta) (2025-12-05)
+- ImageMagick 7.1.2-10 (2025-12-07)
 - aom 3.13.1 (2025-09-05)
 - brotli 1.2.0 (2025-10-27)
 - libbzip2 1.0.8 (2019-07-13)

src/Magick.Native/Magick.Native.version+1 −1 modified

@@ -1 +1 @@
-2025.1205.2141
\ No newline at end of file
+2025.1207.1436
\ No newline at end of file

src/Magick.Native/TrademarkAttribute.cs+1 −1 modified

@@ -1,2 +1,2 @@
 // <auto-generated/>
-[assembly: System.Reflection.AssemblyTrademark("ImageMagick 7.1.2-10 (Beta)")]
\ No newline at end of file
+[assembly: System.Reflection.AssemblyTrademark("ImageMagick 7.1.2-10")]
\ No newline at end of file

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-6hjr-v6g4-3fm8ghsaADVISORY
github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hjr-v6g4-3fm8ghsax_refsource_CONFIRMWEB
github.com/dlemstra/Magick.NET/commit/2dfa08e15cfd11016a79615994787b14f9048b1cghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000