ImageMagick has heap-buffer-overflow via signed integer overflow in `WriteUHDRImage` when writing UHDR images with large dimensions
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. WriteUHDRImage in coders/uhdr.c uses int arithmetic to compute the pixel buffer size. Prior to version 7.1.2-15, when image dimensions are large, the multiplication overflows 32-bit int, causing an undersized heap allocation followed by an out-of-bounds write. This can crash the process or potentially lead to an out of bounds heap write. Version 7.1.2-15 contains a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in ImageMagick's WriteUHDRImage leads to heap buffer overflow, potentially causing crashes or code execution before patch in 7.1.2-15.
Vulnerability
CVE-2026-25794 is an integer overflow vulnerability in ImageMagick's WriteUHDRImage function in coders/uhdr.c. The function uses int arithmetic to compute the pixel buffer size. When image dimensions are large, the multiplication overflows a 32-bit int, resulting in an undersized heap allocation. Subsequent writes to this buffer cause an out-of-bounds heap write [1][2].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted image with large dimensions. No authentication is required if the application processes untrusted images via ImageMagick. The overflow silently produces a small buffer, and then data is written beyond its bounds, leading to memory corruption [2].
Impact
Successful exploitation can crash the process or potentially lead to arbitrary code execution in the context of the affected application. The vulnerability is classified as a heap buffer overflow with high severity [2].
Mitigation
The issue is fixed in ImageMagick version 7.1.2-15 [2]. The commit (ffe589df5ff8ce1433daa4ccb0d2a9fadfbe30ed) adds a check to reject images with dimensions that would cause overflow [4]. The Magick.NET library also includes this fix in version 14.10.3 [3]. As a workaround, administrators can enforce security policies that limit image dimensions to prevent exploitation [1].
- GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
- NVD - CVE-2026-25794
- Release Magick.NET 14.10.3 · dlemstra/Magick.NET
- Prevent out of bounds heap write in uhdr encoder (https://github.com/… · ImageMagick/ImageMagick@ffe589d
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-x86NuGet | < 14.10.3 | 14.10.3 |
Affected products
2<7.1.2-15+ 1 more
- (no CPE)range: <7.1.2-15
- (no CPE)range: < 7.1.2-15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-vhqj-f5cj-9x8hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25794ghsaADVISORY
- github.com/ImageMagick/ImageMagick/commit/ffe589df5ff8ce1433daa4ccb0d2a9fadfbe30edghsaWEB
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8hghsax_refsource_CONFIRMWEB
- github.com/dlemstra/Magick.NET/releases/tag/14.10.3ghsaWEB
News mentions
0No linked articles in our index yet.