Lucene search
K

ImageMagick < 7.1.2-10 Integer Overflow (GHSA-6hjr-v6g4-3fm8)

🗓️ 11 Dec 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 4 Views

ImageMagick before 7.1.2-10 has a TIM parser overflow risking out-of-bounds read.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(278315);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/25");

  script_cve_id("CVE-2025-66628");
  script_xref(name:"IAVB", value:"2025-B-0205-S");

  script_name(english:"ImageMagick < 7.1.2-10 Integer Overflow (GHSA-6hjr-v6g4-3fm8)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an application installed that is affected by an integer overflow vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host has a version of ImageMagick installed that is prior to 7.1.2-10. It is, therefore, affected
by an integer overflow vulnerability.

ImageMagick is a software suite to create, edit, compose, or convert bitmap images. In versions 7.1.2-9 and prior, the
TIM (PSX TIM) image parser contains a critical integer overflow vulnerability in its ReadTIMImage function
(coders/tim.c). The code reads width and height (16-bit values) from the file header and calculates image_size = 2 *
width * height without checking for overflow. On 32-bit systems (or where size_t is 32-bit), this calculation can
overflow if width and height are large (e.g., 65535), wrapping around to a small value. This results in a small heap
allocation via AcquireQuantumMemory and later operations relying on the dimensions can trigger an out of bounds read.
This issue is fixed in version 7.1.2-10.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hjr-v6g4-3fm8
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ef7b8e74");
  script_set_attribute(attribute:"solution", value:
"Upgrade to ImageMagick version 7.1.2-10 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-66628");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/12/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/12/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:imagemagick:imagemagick");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("imagemagick_installed.nasl");
  script_require_keys("installed_sw/ImageMagick");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::combined_get_app_info(app:'ImageMagick');

var arch = get_kb_item('SMB/ARCH');
# if it's not definitely 32 bit arch, require paranoia to flag in case 32 bit version of ImageMagick is installed
if (arch != 'x86' && report_paranoia < 2)
{
  audit(AUDIT_POTENTIAL_VULN, 'ImageMagick');
}

var constraints = [
  { 'fixed_version' : '7.1.2.10', 'fixed_display' : '7.1.2-10'}
];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_HOLE
);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

25 Feb 2026 00:00Current
5.7Medium risk
Vulners AI Score5.7
CVSS 3.17.5
EPSS0.00439
SSVC
4