CWE-124
AllowedBuffer Underwrite ('Buffer Underflow')
Abstraction: Base · Status: Incomplete
The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.
63 vulnerabilities reference this CWE, most recent first.
GHSA-CFV9-2RGF-F55C
Vulnerability from github – Published: 2025-05-06 15:31 – Updated: 2026-05-12 15:30A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.
{
"affected": [],
"aliases": [
"CVE-2025-4373"
],
"database_specific": {
"cwe_ids": [
"CWE-124"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-06T15:16:05Z",
"severity": "MODERATE"
},
"details": "A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.",
"id": "GHSA-cfv9-2rgf-f55c",
"modified": "2026-05-12T15:30:52Z",
"published": "2025-05-06T15:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4373"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/glib/-/issues/3677"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-089022.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2364265"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-4373"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14991"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14990"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14989"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14988"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:13335"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:12275"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:11662"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:11374"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:11373"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:11327"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:11140"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10855"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-CGPR-M9MX-94J6
Vulnerability from github – Published: 2024-05-01 03:30 – Updated: 2024-07-03 18:37lunasvg v2.3.9 was discovered to contain a stack-buffer-underflow at lunasvg/source/layoutcontext.cpp.
{
"affected": [],
"aliases": [
"CVE-2024-33763"
],
"database_specific": {
"cwe_ids": [
"CWE-124",
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-01T03:15:07Z",
"severity": "HIGH"
},
"details": "lunasvg v2.3.9 was discovered to contain a stack-buffer-underflow at lunasvg/source/layoutcontext.cpp.",
"id": "GHSA-cgpr-m9mx-94j6",
"modified": "2024-07-03T18:37:57Z",
"published": "2024-05-01T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33763"
},
{
"type": "WEB",
"url": "https://github.com/keepinggg/poc/tree/main/poc_of_lunasvg"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FFW9-QR6V-4C9C
Vulnerability from github – Published: 2024-12-27 12:30 – Updated: 2024-12-27 12:30There is a buffer error vulnerability in some Huawei product. An unauthenticated attacker may send special UPNP message to the affected products. Due to insufficient input validation of some value, successful exploit may cause some service abnormal. (Vulnerability ID: HWPSIRT-2017-08234)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-9086.
{
"affected": [],
"aliases": [
"CVE-2020-9086"
],
"database_specific": {
"cwe_ids": [
"CWE-124",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-27T10:15:12Z",
"severity": "MODERATE"
},
"details": "There is a buffer error vulnerability in some Huawei product. An unauthenticated attacker may send special UPNP message to the affected products. Due to insufficient input validation of some value, successful exploit may cause some service abnormal. (Vulnerability ID: HWPSIRT-2017-08234)\n\nThis vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-9086.",
"id": "GHSA-ffw9-qr6v-4c9c",
"modified": "2024-12-27T12:30:35Z",
"published": "2024-12-27T12:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9086"
},
{
"type": "WEB",
"url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200826-01-buffer_en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FG62-299P-X79J
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32In stroke_socket.c in strongSwan before 5.6.3, a missing packet length check could allow a buffer underflow, which may lead to resource exhaustion and denial of service while reading from the socket.
{
"affected": [],
"aliases": [
"CVE-2018-5388"
],
"database_specific": {
"cwe_ids": [
"CWE-124",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-31T13:29:00Z",
"severity": "MODERATE"
},
"details": "In stroke_socket.c in strongSwan before 5.6.3, a missing packet length check could allow a buffer underflow, which may lead to resource exhaustion and denial of service while reading from the socket.",
"id": "GHSA-fg62-299p-x79j",
"modified": "2022-05-13T01:32:12Z",
"published": "2022-05-13T01:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5388"
},
{
"type": "WEB",
"url": "https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=0acd1ab4"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201811-16"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3771-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4229"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00077.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00001.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00047.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/172833/strongSwan-VPN-Charon-Server-Buffer-Overflow.html"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/338343"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104263"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GRQQ-3JQG-G95P
Vulnerability from github – Published: 2022-03-04 00:00 – Updated: 2025-11-03 21:30Existing CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize.
{
"affected": [],
"aliases": [
"CVE-2021-38578"
],
"database_specific": {
"cwe_ids": [
"CWE-124",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-03T22:15:00Z",
"severity": "CRITICAL"
},
"details": "Existing CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize.",
"id": "GHSA-grqq-3jqg-g95p",
"modified": "2025-11-03T21:30:38Z",
"published": "2022-03-04T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38578"
},
{
"type": "WEB",
"url": "https://bugzilla.tianocore.org/show_bug.cgi?id=3387"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00007.html"
},
{
"type": "WEB",
"url": "https://www.insyde.com/security-pledge/SA-2023024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JCWF-QRR5-XWQ3
Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-14 15:31YAML::Syck versions before 1.38 for Perl has an out-of-bounds read.
The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer:
while ( colon >= ptr && *colon != ':' )
{
colon--;
}
if ( *colon == ':' ) *colon = '\0'; // colon may be ptr-1 here
When no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent *colon dereference reads one byte before the allocated buffer.
{
"affected": [],
"aliases": [
"CVE-2026-5089"
],
"database_specific": {
"cwe_ids": [
"CWE-124"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T17:16:21Z",
"severity": "HIGH"
},
"details": "YAML::Syck versions before 1.38 for Perl has an out-of-bounds read.\n\nThe base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer:\n\n while ( colon \u003e= ptr \u0026\u0026 *colon != \u0027:\u0027 )\n {\n colon--;\n }\n if ( *colon == \u0027:\u0027 ) *colon = \u0027\\0\u0027; // colon may be ptr-1 here\n\nWhen no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent *colon dereference reads one byte before the allocated buffer.",
"id": "GHSA-jcwf-qrr5-xwq3",
"modified": "2026-05-14T15:31:52Z",
"published": "2026-05-12T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5089"
},
{
"type": "WEB",
"url": "https://github.com/cpan-authors/YAML-Syck/issues/132"
},
{
"type": "WEB",
"url": "https://github.com/cpan-authors/YAML-Syck/pull/133"
},
{
"type": "WEB",
"url": "https://github.com/cpan-authors/YAML-Syck/commit/208a4d3bd1b5cdb4a791a6e3905bd6bd45e9d005.patch"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/TODDR/YAML-Syck-1.38/changes"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/12/16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-Q4G8-7VX3-949Q
Vulnerability from github – Published: 2026-02-10 21:31 – Updated: 2026-02-10 21:31Improper input validation in the SMM communications buffer could allow a privileged attacker to perform an out of bounds read or write to SMRAM potentially resulting in loss of confidentiality or integrity.
{
"affected": [],
"aliases": [
"CVE-2024-36310"
],
"database_specific": {
"cwe_ids": [
"CWE-124"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-10T20:16:42Z",
"severity": "MODERATE"
},
"details": "Improper input validation in the SMM communications buffer could allow a privileged attacker to perform an out of bounds read or write to SMRAM potentially resulting in loss of confidentiality or integrity.",
"id": "GHSA-q4g8-7vx3-949q",
"modified": "2026-02-10T21:31:30Z",
"published": "2026-02-10T21:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36310"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3023.html"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4013.html"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/Emb-Auto.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QH3H-J545-H8C9
Vulnerability from github – Published: 2025-08-25 15:43 – Updated: 2025-11-03 21:34Hi, we have found a stack buffer overflow and would like to report this issue. Could you confirm if this qualifies as a security vulnerability? I am happy to provide any additional information needed.
Summary
In ImageMagick's magick mogrify command, specifying multiple consecutive %d format specifiers in a filename template causes internal pointer arithmetic to generate an address below the beginning of the stack buffer, resulting in a stack overflow through vsnprintf().
Additional information
Upon further investigation, we found that the same issue occurs not only with mogrify but also with the following subcommands: compare, composite, conjure, convert, identify, mogrify, and montage.
Furthermore, we confirmed that this vulnerability has the potential to lead to RCE. RCE is possible when ASLR is disabled and there is a suitable one_gadget in libc, provided that options and filenames can be controlled.
Details
- Vulnerability Type: CWE-124: Buffer Underwrite
- Affected Component: MagickCore/image.c - Format processing within InterpretImageFilename()
- Affected Version: ImageMagick 7.1.1-47 (as of commit 82572afc, June 2025)
- CWE-124: Buffer Underwrite: A vulnerability where writing occurs to memory addresses before the beginning of a buffer. This is caused by a design flaw in fixed offset correction, resulting in negative pointer arithmetic during consecutive format specifier processing.
Reproduction
Tested Environment
- Operating System: Ubuntu 22.04 LTS
- Architecture: x86_64
- Compiler: gcc with AddressSanitizer (gcc version: 11.4.0)
Reproduction Steps
# Clone source
git clone --depth 1 --branch 7.1.1-47 https://github.com/ImageMagick/ImageMagick.git ImageMagick-7.1.1
cd ImageMagick-7.1.1
# Build with ASan
CFLAGS="-g -O0 -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="$CFLAGS" LDFLAGS="-fsanitize=address" ./configure --enable-maintainer-mode --enable-shared && make -j$(nproc) && make install
# Trigger crash
./utilities/magick mogrify %d%d
Output
==4155==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffda834caae at pc 0x7f1ea367fb27 bp 0x7ffda834b680 sp 0x7ffda834ae10
WRITE of size 2 at 0x7ffda834caae thread T0
#0 0x7f1ea367fb26 in __interceptor_vsnprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1668
#1 0x7f1ea2dc9e3e in FormatLocaleStringList MagickCore/locale.c:470
#2 0x7f1ea2dc9fd9 in FormatLocaleString MagickCore/locale.c:495
#3 0x7f1ea2da0ad5 in InterpretImageFilename MagickCore/image.c:1696
#4 0x7f1ea2c6126b in ReadImages MagickCore/constitute.c:1051
#5 0x7f1ea27ef29b in MogrifyImageCommand MagickWand/mogrify.c:3858
#6 0x7f1ea278e95d in MagickCommandGenesis MagickWand/magick-cli.c:177
#7 0x560813499a0c in MagickMain utilities/magick.c:153
#8 0x560813499cba in main utilities/magick.c:184
#9 0x7f1ea1c0bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#10 0x7f1ea1c0be3f in __libc_start_main_impl ../csu/libc-start.c:392
#11 0x560813499404 in _start (/root/workdir/ImageMagick/utilities/.libs/magick+0x2404)
Address 0x7ffda834caae is located in stack of thread T0 at offset 62 in frame
#0 0x7f1ea2c60f62 in ReadImages MagickCore/constitute.c:1027
This frame has 2 object(s):
[32, 40) 'images' (line 1033)
[64, 4160) 'read_filename' (line 1029) <== Memory access at offset 62 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1668 in __interceptor_vsnprintf
Shadow bytes around the buggy address:
0x100035061900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100035061910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100035061920: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3
0x100035061930: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x100035061940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100035061950: f1 f1 00 f2 f2[f2]00 00 00 00 00 00 00 00 00 00
0x100035061960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100035061970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100035061980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100035061990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000350619a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4155==ABORTING
Affected Code
In MagickCore/image.c, within the InterpretImageFilename() function:
MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
Image *image,const char *format,int value,char *filename,
ExceptionInfo *exception)
{
...
for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
{
q=(char *) p+1;
if (*q == '%')
{
p=q+1;
continue;
}
field_width=0;
if (*q == '0')
field_width=(ssize_t) strtol(q,&q,10);
switch (*q)
{
case 'd':
case 'o':
case 'x':
{
q++;
c=(*q);
*q='\0';
/*--------Affected--------*/
(void) FormatLocaleString(filename+(p-format-offset),(size_t)
(MagickPathExtent-(p-format-offset)),p,value);
offset+=(4-field_width);
/*--------Affected--------*/
*q=c;
(void) ConcatenateMagickString(filename,q,MagickPathExtent);
canonical=MagickTrue;
if (*(q-1) != '%')
break;
p++;
break;
}
case '[':
{
...
}
default:
break;
}
}
Technical Analysis
This vulnerability is caused by an inconsistency in the template expansion processing within InterpretImageFilename().
The format specifiers %d, %o, and %x in templates are replaced with integer values by FormatLocaleString(), but the output buffer position is calculated by filename + (p - format - offset).
The offset variable is cumulatively incremented to correct the output length of %d etc., but the design using a static offset += (4 - field_width) causes offset to increase excessively when % specifiers are consecutive in the template, creating a dangerous state where the write destination address points before filename.
The constant 4 was likely chosen based on the character count of typical format specifiers like %03d (total of 4 characters: %, 0, 3, d). However, in reality, there are formats with only 2 characters like %d, and formats with longer width specifications (e.g., %010d), so this uniform constant-based correction is inconsistent with actual template structures.
As a result, when the correction value becomes excessive, offset exceeds the relative position p - format within the template, generating a negative index. This static and template-independent design of the correction processing is the root cause of this vulnerability.
This causes vsnprintf() to write outside the stack buffer range, which is detected by AddressSanitizer as a stack-buffer-overflow.
Proposed Fix
In MagickCore/image.c, within the InterpretImageFilename() function:
MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
Image *image,const char *format,int value,char *filename,
ExceptionInfo *exception)
{
...
/*--------Changed--------*/
ssize_t
field_width,
offset,
written; // Added
/*--------Changed--------*/
...
for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
{
q=(char *) p+1;
if (*q == '%')
{
p=q+1;
continue;
}
field_width=0;
if (*q == '0')
field_width=(ssize_t) strtol(q,&q,10);
switch (*q)
{
case 'd':
case 'o':
case 'x':
{
q++;
c=(*q);
*q='\0';
written = FormatLocaleString(filename+(p-format-offset),(size_t)
(MagickPathExtent-(p-format-offset)),p,value);
/*--------Changed--------*/
if (written <= 0 || written > (MagickPathExtent - (p - format - offset)))
return 0;
offset += (ssize_t)((q - p) - written);
/*--------Changed--------*/
*q=c;
(void) ConcatenateMagickString(filename,q,MagickPathExtent);
canonical=MagickTrue;
if (*(q-1) != '%')
break;
p++;
break;
}
case '[':
{
...
}
default:
break;
}
}
- By updating
offsetbased on the difference between template description length(q - p)and the number of output byteswritten, buffer position consistency is maintained. - Correction is performed according to the actual template structure, ensuring stable behavior regardless of format length without relying on static constants.
- Range checking of
writtenallows detection of vsnprintf failures and excessive writes.
Commits
Fixed in https://github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774 and https://github.com/ImageMagick/ImageMagick6/commit/643deeb60803488373cd4799b24d5786af90972e
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53101"
],
"database_specific": {
"cwe_ids": [
"CWE-124"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-25T15:43:37Z",
"nvd_published_at": "2025-07-14T20:15:29Z",
"severity": "HIGH"
},
"details": "Hi, we have found a stack buffer overflow and would like to report this issue.\nCould you confirm if this qualifies as a security vulnerability? I am happy to provide any additional information needed.\n\n## Summary\n\nIn ImageMagick\u0027s `magick mogrify` command, specifying multiple consecutive `%d` format specifiers in a filename template causes internal pointer arithmetic to generate an address below the beginning of the stack buffer, resulting in a stack overflow through `vsnprintf()`.\n\n### Additional information\n\n Upon further investigation, we found that the same issue occurs not only with mogrify but also with the following subcommands: compare, composite, conjure, convert, identify, mogrify, and montage.\n\nFurthermore, we confirmed that this vulnerability has the potential to lead to RCE. RCE is possible when ASLR is disabled and there is a suitable one_gadget in libc, provided that options and filenames can be controlled.\n\n## Details\n\n- **Vulnerability Type:** CWE-124: Buffer Underwrite\n- **Affected Component:** MagickCore/image.c - Format processing within InterpretImageFilename()\n- **Affected Version:** ImageMagick 7.1.1-47 (as of commit 82572afc, June 2025)\n- **CWE-124: Buffer Underwrite:** A vulnerability where writing occurs to memory addresses before the beginning of a buffer. This is caused by a design flaw in fixed offset correction, resulting in negative pointer arithmetic during consecutive format specifier processing.\n\n## Reproduction\n\n### Tested Environment\n\n- **Operating System:** Ubuntu 22.04 LTS\n- **Architecture:** x86_64\n- **Compiler:** gcc with AddressSanitizer (gcc version: 11.4.0)\n\n### Reproduction Steps\n\n```bash\n# Clone source\ngit clone --depth 1 --branch 7.1.1-47 https://github.com/ImageMagick/ImageMagick.git ImageMagick-7.1.1\ncd ImageMagick-7.1.1\n\n# Build with ASan\nCFLAGS=\"-g -O0 -fsanitize=address -fno-omit-frame-pointer\" CXXFLAGS=\"$CFLAGS\" LDFLAGS=\"-fsanitize=address\" ./configure --enable-maintainer-mode --enable-shared \u0026\u0026 make -j$(nproc) \u0026\u0026 make install\n\n# Trigger crash\n./utilities/magick mogrify %d%d\n```\n\n### Output\n\n```plaintext\n==4155==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffda834caae at pc 0x7f1ea367fb27 bp 0x7ffda834b680 sp 0x7ffda834ae10\nWRITE of size 2 at 0x7ffda834caae thread T0\n #0 0x7f1ea367fb26 in __interceptor_vsnprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1668\n #1 0x7f1ea2dc9e3e in FormatLocaleStringList MagickCore/locale.c:470\n #2 0x7f1ea2dc9fd9 in FormatLocaleString MagickCore/locale.c:495\n #3 0x7f1ea2da0ad5 in InterpretImageFilename MagickCore/image.c:1696\n #4 0x7f1ea2c6126b in ReadImages MagickCore/constitute.c:1051\n #5 0x7f1ea27ef29b in MogrifyImageCommand MagickWand/mogrify.c:3858\n #6 0x7f1ea278e95d in MagickCommandGenesis MagickWand/magick-cli.c:177\n #7 0x560813499a0c in MagickMain utilities/magick.c:153\n #8 0x560813499cba in main utilities/magick.c:184\n #9 0x7f1ea1c0bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n #10 0x7f1ea1c0be3f in __libc_start_main_impl ../csu/libc-start.c:392\n #11 0x560813499404 in _start (/root/workdir/ImageMagick/utilities/.libs/magick+0x2404)\n\nAddress 0x7ffda834caae is located in stack of thread T0 at offset 62 in frame\n #0 0x7f1ea2c60f62 in ReadImages MagickCore/constitute.c:1027\n\n This frame has 2 object(s):\n [32, 40) \u0027images\u0027 (line 1033)\n [64, 4160) \u0027read_filename\u0027 (line 1029) \u003c== Memory access at offset 62 underflows this variable\nHINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork\n (longjmp and C++ exceptions *are* supported)\nSUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1668 in __interceptor_vsnprintf\nShadow bytes around the buggy address:\n 0x100035061900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x100035061910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x100035061920: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3\n 0x100035061930: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00\n 0x100035061940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n=\u003e0x100035061950: f1 f1 00 f2 f2[f2]00 00 00 00 00 00 00 00 00 00\n 0x100035061960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x100035061970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x100035061980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x100035061990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x1000350619a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n Shadow gap: cc\n==4155==ABORTING\n```\n\n### Affected Code\n\nIn `MagickCore/image.c`, within the `InterpretImageFilename()` function:\n\n```c\nMagickExport size_t InterpretImageFilename(const ImageInfo *image_info,\n Image *image,const char *format,int value,char *filename,\n ExceptionInfo *exception)\n{\n...\n for (p=strchr(format,\u0027%\u0027); p != (char *) NULL; p=strchr(p+1,\u0027%\u0027))\n {\n q=(char *) p+1;\n if (*q == \u0027%\u0027)\n {\n p=q+1;\n continue;\n }\n field_width=0;\n if (*q == \u00270\u0027)\n field_width=(ssize_t) strtol(q,\u0026q,10);\n switch (*q)\n {\n case \u0027d\u0027:\n case \u0027o\u0027:\n case \u0027x\u0027:\n {\n q++;\n c=(*q);\n *q=\u0027\\0\u0027;\n /*--------Affected--------*/\n (void) FormatLocaleString(filename+(p-format-offset),(size_t)\n (MagickPathExtent-(p-format-offset)),p,value);\n offset+=(4-field_width);\n /*--------Affected--------*/\n *q=c;\n (void) ConcatenateMagickString(filename,q,MagickPathExtent);\n canonical=MagickTrue;\n if (*(q-1) != \u0027%\u0027)\n break;\n p++;\n break;\n }\n case \u0027[\u0027:\n {\n ...\n }\n default:\n break;\n }\n }\n```\n\n## Technical Analysis\n\nThis vulnerability is caused by an inconsistency in the template expansion processing within `InterpretImageFilename()`.\n\nThe format specifiers `%d`, `%o`, and `%x` in templates are replaced with integer values by `FormatLocaleString()`, but the output buffer position is calculated by `filename + (p - format - offset)`.\n\nThe `offset` variable is cumulatively incremented to correct the output length of `%d` etc., but the design using a static `offset += (4 - field_width)` causes `offset` to increase excessively when `%` specifiers are consecutive in the template, creating a dangerous state where the write destination address points before `filename`.\n\nThe constant `4` was likely chosen based on the character count of typical format specifiers like `%03d` (total of 4 characters: `%`, `0`, `3`, `d`). However, in reality, there are formats with only 2 characters like `%d`, and formats with longer width specifications (e.g., `%010d`), so this uniform constant-based correction is inconsistent with actual template structures.\n\nAs a result, when the correction value becomes excessive, `offset` exceeds the relative position `p - format` within the template, generating a negative index. This static and template-independent design of the correction processing is the root cause of this vulnerability.\n\nThis causes `vsnprintf()` to write outside the stack buffer range, which is detected by AddressSanitizer as a `stack-buffer-overflow`.\n\n## Proposed Fix\n\nIn `MagickCore/image.c`, within the `InterpretImageFilename()` function:\n\n```c\nMagickExport size_t InterpretImageFilename(const ImageInfo *image_info,\n Image *image,const char *format,int value,char *filename,\n ExceptionInfo *exception)\n{\n...\n /*--------Changed--------*/\n ssize_t\n field_width,\n offset,\n written; // Added\n /*--------Changed--------*/\n...\n for (p=strchr(format,\u0027%\u0027); p != (char *) NULL; p=strchr(p+1,\u0027%\u0027))\n {\n q=(char *) p+1;\n if (*q == \u0027%\u0027)\n {\n p=q+1;\n continue;\n }\n field_width=0;\n if (*q == \u00270\u0027)\n field_width=(ssize_t) strtol(q,\u0026q,10);\n switch (*q)\n {\n case \u0027d\u0027:\n case \u0027o\u0027:\n case \u0027x\u0027:\n {\n q++;\n c=(*q);\n *q=\u0027\\0\u0027;\n written = FormatLocaleString(filename+(p-format-offset),(size_t)\n (MagickPathExtent-(p-format-offset)),p,value);\n /*--------Changed--------*/\n if (written \u003c= 0 || written \u003e (MagickPathExtent - (p - format - offset)))\n return 0;\n offset += (ssize_t)((q - p) - written);\n /*--------Changed--------*/\n *q=c;\n (void) ConcatenateMagickString(filename,q,MagickPathExtent);\n canonical=MagickTrue;\n if (*(q-1) != \u0027%\u0027)\n break;\n p++;\n break;\n }\n case \u0027[\u0027:\n {\n ...\n }\n default:\n break;\n }\n }\n```\n- By updating `offset` based on the difference between template description length `(q - p)` and the number of output bytes `written`, buffer position consistency is maintained.\n- Correction is performed according to the actual template structure, ensuring stable behavior regardless of format length without relying on static constants.\n- Range checking of `written` allows detection of vsnprintf failures and excessive writes.\n\n### Commits\nFixed in https://github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774 and https://github.com/ImageMagick/ImageMagick6/commit/643deeb60803488373cd4799b24d5786af90972e",
"id": "GHSA-qh3h-j545-h8c9",
"modified": "2025-11-03T21:34:07Z",
"published": "2025-08-25T15:43:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53101"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick6/commit/643deeb60803488373cd4799b24d5786af90972e"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
},
{
"type": "WEB",
"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.7.0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick has a Stack Buffer Overflow in image.c"
}
GHSA-QJGC-HX5R-R632
Vulnerability from github – Published: 2026-05-20 00:31 – Updated: 2026-05-20 00:31Improper input validation in the System Management Mode (SMM) communications buffer could allow a privileged attacker to perform an out of bounds read or write to a limited section of the Top of Memory Segment (TSEG) memory region, potentially resulting in loss of confidentiality or integrity.
{
"affected": [],
"aliases": [
"CVE-2024-36343"
],
"database_specific": {
"cwe_ids": [
"CWE-124"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-19T22:16:35Z",
"severity": "MODERATE"
},
"details": "Improper input validation in the System Management Mode (SMM) communications buffer could allow a privileged attacker to perform an out of bounds read or write to a limited section of the Top of Memory Segment (TSEG) memory region, potentially resulting in loss of confidentiality or integrity.",
"id": "GHSA-qjgc-hx5r-r632",
"modified": "2026-05-20T00:31:41Z",
"published": "2026-05-20T00:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36343"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3030.html"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4017.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WCQF-W94X-4WG2
Vulnerability from github – Published: 2026-03-26 21:31 – Updated: 2026-05-19 15:31The API function ssh_get_hexa() is vulnerable, when 0-lenght
input is provided to this function. This function is used internally
in ssh_get_fingerprint_hash() and ssh_print_hexa() (deprecated),
which is vulnerable to the same input (length is provided by the
calling application).
The function is also used internally in the gssapi code for logging the OIDs received by the server during GSSAPI authentication. This could be triggered remotely, when the server allows GSSAPI authentication and logging verbosity is set at least to SSH_LOG_PACKET (3). This could cause self-DoS of the per-connection daemon process.
{
"affected": [],
"aliases": [
"CVE-2026-0966"
],
"database_specific": {
"cwe_ids": [
"CWE-124"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-26T21:17:00Z",
"severity": "MODERATE"
},
"details": "The API function `ssh_get_hexa()` is vulnerable, when 0-lenght\ninput is provided to this function. This function is used internally\nin `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated),\nwhich is vulnerable to the same input (length is provided by the\ncalling application).\n\nThe function is also used internally in the gssapi code for logging\nthe OIDs received by the server during GSSAPI authentication. This\ncould be triggered remotely, when the server allows GSSAPI authentication\nand logging verbosity is set at least to SSH_LOG_PACKET (3). This\ncould cause self-DoS of the per-connection daemon process.",
"id": "GHSA-wcqf-w94x-4wg2",
"modified": "2026-05-19T15:31:19Z",
"published": "2026-03-26T21:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0966"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:18160"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:18683"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7067"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-0966"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433121"
},
{
"type": "WEB",
"url": "https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that is not susceptible to these issues.
Mitigation
All calculated values that are used as index or for pointer arithmetic should be validated to ensure that they are within an expected range.
No CAPEC attack patterns related to this CWE.