ImageMagick vulnerable to heap-buffer-overflow
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.1-14, ImageMagick crashes when processing a crafted TIFF file. Version 7.1.1-14 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick versions prior to 7.1.1-14 have a heap-buffer-overflow vulnerability that can be triggered via a crafted TIFF file, causing a crash.
md
Analysis
ImageMagick versions 7.1.1-13 and earlier contain a heap-buffer-overflow vulnerability when processing specially crafted TIFF files. The bug is triggered in the TIFF decoding routines, leading to memory corruption and an application crash. [2][3]
Exploitation
An attacker can exploit this vulnerability by providing a malicious TIFF file to an application or service that uses ImageMagick, such as a web upload feature or image processing pipeline. No authentication is required; the attacker only needs to induce the target to process the file, e.g., via magick poc.tiff /dev/null. [1][3]
ImpactSuccessful exploitation leads to a denial-of-service condition (application crash). Based on the available information, there is no further code execution or data leakage is proven, but heap overflows can potentially be leveraged for more severe impacts depending on memory layout and mitigations. [3]
MitigationThe vulnerability is fixed in
ImageMagick version 7.1.1-14 and later. Users should upgrade immediately or implement a security policy to restrict processing of untrusted TIFF files as a workaround. [2][3]
- GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
- NVD - CVE-2025-68469
- heap-buffer-overflow in ImageMagick <= 7.1.1-13
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | < 13.2.0 | 13.2.0 |
Magick.NET-Q16-HDRI-AnyCPUNuGet | < 13.2.0 | 13.2.0 |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | < 13.2.0 | 13.2.0 |
Magick.NET-Q16-HDRI-OpenMP-x64NuGet | < 13.2.0 | 13.2.0 |
Magick.NET-Q16-HDRI-arm64NuGet | < 13.2.0 | 13.2.0 |
Magick.NET-Q16-HDRI-x64NuGet | < 13.2.0 | 13.2.0 |
Magick.NET-Q16-HDRI-x86NuGet | < 13.2.0 | 13.2.0 |
Magick.NET-Q16-OpenMP-arm64NuGet | < 13.2.0 | 13.2.0 |
Magick.NET-Q16-OpenMP-x64NuGet | < 13.2.0 | 13.2.0 |
Magick.NET-Q16-arm64NuGet | < 13.2.0 | 13.2.0 |
Magick.NET-Q16-x64NuGet | < 13.2.0 | 13.2.0 |
Magick.NET-Q16-x86NuGet | < 13.2.0 | 13.2.0 |
Magick.NET-Q8-AnyCPUNuGet | < 13.2.0 | 13.2.0 |
Magick.NET-Q8-OpenMP-arm64NuGet | < 13.2.0 | 13.2.0 |
Magick.NET-Q8-OpenMP-x64NuGet | < 13.2.0 | 13.2.0 |
Magick.NET-Q8-arm64NuGet | < 13.2.0 | 13.2.0 |
Magick.NET-Q8-x64NuGet | < 13.2.0 | 13.2.0 |
Magick.NET-Q8-x86NuGet | < 13.2.0 | 13.2.0 |
Affected products
27.0.1-0, 7.0.1-1, 7.0.1-10, …+ 1 more
- (no CPE)range: 7.0.1-0, 7.0.1-1, 7.0.1-10, …
- (no CPE)range: <7.1.1-14
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-fff3-4rp7-px97ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-68469ghsaADVISORY
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fff3-4rp7-px97ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.