CVE-2025-62171

Name of the Vulnerable Software and Affected Versions ImageMagick versions prior to 7.1.2-7 and 6.9.13-32

Description ImageMagick is a software suite for displaying, converting, and editing raster image files. An integer overflow exists in the BMP decoder on 32-bit systems in versions prior to 7.1.2-7 and 6.9.13-32. The issue occurs in coders/bmp.c when calculating the extent value by multiplying image columns by bits per pixel. A malicious BMP file with specific dimensions can cause this multiplication to overflow and wrap to zero. The overflow check is ineffective as it is placed after the overflow occurs. A crafted 58-byte BMP file with a width of 536,870,912 and 32 bits per pixel can trigger the overflow, resulting in a zero bytes per line calculation. This affects 32-bit builds of ImageMagick where resource limits for width, height, and area have been manually increased beyond their defaults. 64-bit systems and systems using default resource limits are not vulnerable.

Recommendations Update to ImageMagick version 7.1.2-7 or later. Update to ImageMagick version 6.9.13-32 or later.