Bug 2391093 (CVE-2025-57803) - CVE-2025-57803 imagemagick: ImageMagick (WriteBMPImage): 32-bit integer overflow when writing BMP scanline stride → heap buffer overflow
Summary: CVE-2025-57803 imagemagick: ImageMagick (WriteBMPImage): 32-bit integer overf...
Keywords:
Status: NEW
Alias: CVE-2025-57803
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2392771 2392772 2392773 2392774 2392775
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-08-26 18:01 UTC by OSIDB Bzimport
Modified: 2025-09-22 05:33 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:16313 0 None None None 2025-09-22 05:33:05 UTC

Description OSIDB Bzimport 2025-08-26 18:01:22 UTC 
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2 for ImageMagick's 32-bit build, a 32-bit integer overflow in the BMP encoder’s scanline-stride computation collapses bytes_per_line (stride) to a tiny value while the per-row writer still emits 3 × width bytes for 24-bpp images. The row base pointer advances using the (overflowed) stride, so the first row immediately writes past its slot and into adjacent heap memory with attacker-controlled bytes. This is a classic, powerful primitive for heap corruption in common auto-convert pipelines. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.
Comment 2 errata-xmlrpc 2025-09-22 05:33:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:16313 https://access.redhat.com/errata/RHSA-2025:16313
Note You need to log in before you can comment on or make changes to this bug.