ImageMagick: Heap Buffer Over-Write of a single byte in the JP2 encoder.

Vulnerability

An incorrect bounds check in the JP2 encoder of ImageMagick (versions prior to 14.13.1) results in a heap buffer over-write of a single byte when the software processes a crafted image file with certain encoding options specified. The vulnerable code path is reachable when a user triggers the JP2 output format, likely via command-line or API use of the encoder. The affected package includes Magick.NET-Q16-AnyCPU and related NuGet packages before version 14.13.1 [1][2].

Exploitation

An attacker must craft a malicious image file that, when processed by ImageMagick's JP2 encoder with specific options (e.g., quality or compression parameters), triggers the single-byte out-of-bounds write. The attack can be performed remotely if the victim processes the file (e.g., via a web service or batch conversion). No authentication is required, but user interaction is needed (the victim must open or convert the file). The attack complexity is low, as the vulnerability can be triggered without special privileges [3].

Impact

Successful exploitation results in a heap buffer over-write of one byte, which can lead to memory corruption. This may cause a denial of service (application crash) or, in more severe scenarios, enable arbitrary code execution depending on the heap layout and the overwritten byte's location. The CVSS score indicates moderate severity (likely 6.5-7.5 range), with potential impacts on confidentiality, integrity, and availability [3].

Mitigation

ImageMagick and Magick.NET users should upgrade to version 14.13.1 or later, which contains the fix [2]. Administrators can also limit exposure by restricting file upload capabilities to trusted sources and ensuring that the JP2 encoder is not used with untrusted input until patched. No workaround other than disabling the JP2 format is documented in the references [1][2][3].