ImageMagick has heap overflow in sun decoder on 32-bit systems that can result in out of bounds write

Vulnerability

Overview

CVE-2026-25897 is an integer overflow vulnerability in ImageMagick's sun decoder, affecting both the legacy 6.x and modern 7.x series prior to versions 6.9.13-40 and 7.1.2-15 respectively [2]. The flaw manifests specifically on 32-bit systems or builds where integer arithmetic can overflow during image dimension calculations. A crafted SUN raster image can trigger an out-of-bounds heap write, potentially leading to memory corruption [2][4].

Exploitation

Vector

The vulnerability resides in the ReadSUNImage function, where the product of pixels_length and image->rows is computed without proper overflow checks [4]. An attacker must provide a specially crafted SUN image file that exploits the 32-bit integer wrapping. No authentication is required if the victim processes the malicious image using an affected ImageMagick version, making it exploitable via user uploads or automated image processing pipelines [1].

Impact

Successful exploitation results in a heap overflow, which can cause a denial-of-service (crash) or, under favorable memory conditions, arbitrary code execution in the context of the ImageMagick process [2]. This is particularly concerning for environments that rely on ImageMagick for server-side image processing, such as content management systems or media conversion services, where a crafted image could compromise the host system.

Mitigation

The ImageMagick project has released patched versions: 6.9.13-40 and 7.1.2-15, which add an explicit integer overflow check before memory allocation [4]. Users should upgrade immediately. The related advisory (GHSA-6j5f-24fw-pqp4) is also noted in the Magick.NET release notes, indicating downstream projects have been updated [3]. No workaround is available apart from disabling SUN format support or using a policy file to block the format until the patch can be applied [1].