ImageMagick: Heap Buffer Over-Write in MIFF encoder when using LZMA compression

Vulnerability

When LZMA compression is selected in the MIFF encoder of ImageMagick, an out-of-bounds write occurs due to a missing bounds check. This affects ImageMagick and downstream wrappers such as Magick.NET versions prior to 14.13.1 [2]. The bug resides in the encoder's handling of compressed data streams during MIFF file creation [3].

Exploitation

An attacker must supply a specially crafted image that triggers the LZMA compression path in the MIFF encoder. No authentication is required, but user interaction (e.g., opening the malicious file) is needed. The attack can be performed remotely via crafted files served through applications that use ImageMagick to process images [3].

Impact

Successful exploitation results in a heap-buffer over-write, which can lead to denial of service, data corruption, or potential code execution. The vulnerability has moderate severity, with CVSS metrics indicating high availability impact [3]. An attacker may disrupt the affected service or compromise the integrity of memory contents.

Mitigation

Upgrade ImageMagick to a patched version (release details expected from the maintainer). For Magick.NET, versions 14.13.1 and later contain the fix [2]. If immediate patching is not possible, avoid using LZMA compression in the MIFF encoder by switching to a different compression method or format. No workaround is disclosed in the available references.