Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-7rvh-xqp3-pr8j: ImageMagick's failure to limit MVG mutual causes Stack Overflow

Summary

Magick fails to check for circular references between two MVGs, leading to a stack overflow.

Details

After reading mvg1 using Magick, the following is displayed:

./magick -limit memory 2GiB -limit map 2GiB -limit disk 0 mvg:L1.mvg out.png
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3564123==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x5589549a4458 bp 0x7ffcc61f34a0 sp 0x7ffcc61efdd0 T0)
    #0 0x5589549a4458 in GetImagePixelCache MagickCore/cache.c:1726
    #1 0x5589549b02c1 in QueueAuthenticPixelCacheNexus MagickCore/cache.c:4261
    #2 0x5589549a2f24 in GetAuthenticPixelCacheNexus MagickCore/cache.c:1368
    #3 0x5589549bae98 in GetCacheViewAuthenticPixels MagickCore/cache-view.c:311
    #4 0x558954afb3a5 in DrawPolygonPrimitive._omp_fn.1 MagickCore/draw.c:5172
    #5 0x7f62dd89fa15 in GOMP_parallel (/lib/x86_64-linux-gnu/libgomp.so.1+0x14a15)
    #6 0x558954ae0f41 in DrawPolygonPrimitive MagickCore/draw.c:5156
    #7 0x558954ae5607 in DrawPrimitive MagickCore/draw.c:5875
    #8 0x558954adc72d in RenderMVGContent MagickCore/draw.c:4522
    #9 0x558954adcf67 in DrawImage MagickCore/draw.c:4561
    #10 0x55895496cedb in RenderFreetype MagickCore/annotate.c:2065
    #11 0x55895496702e in RenderType MagickCore/annotate.c:1112
    #12 0x558954963da7 in AnnotateImage MagickCore/annotate.c:544
    #13 0x558954ae4e0a in DrawPrimitive MagickCore/draw.c:5799
    #14 0x558954adc72d in RenderMVGContent MagickCore/draw.c:4522
    #15 0x558954adcf67 in DrawImage MagickCore/draw.c:4561
    #16 0x558954755a46 in ReadMVGImage coders/mvg.c:240
    #17 0x558954a15ecc in ReadImage MagickCore/constitute.c:743
    #18 0x558954ae3c76 in DrawPrimitive MagickCore/draw.c:5705
    #19 0x558954adc72d in RenderMVGContent MagickCore/draw.c:4522
    #20 0x558954adcf67 in DrawImage MagickCore/draw.c:4561
    #21 0x558954755a46 in ReadMVGImage coders/mvg.c:240
    ...

Impact

This is a DoS vulnerability, and any situation that allows reading the mvg file will be affected.

ghsa
Open in Source
#vulnerability#linux#git#auth
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-68950

ImageMagick’s failure to limit MVG mutual causes Stack Overflow

Moderate severity GitHub Reviewed Published Dec 30, 2025 in ImageMagick/ImageMagick • Updated Dec 30, 2025

Package

nuget Magick.NET-Q16-AnyCPU (NuGet)

Affected versions

< 14.10.1

nuget Magick.NET-Q16-HDRI-AnyCPU (NuGet)

nuget Magick.NET-Q16-HDRI-OpenMP-arm64 (NuGet)

nuget Magick.NET-Q16-HDRI-OpenMP-x64 (NuGet)

nuget Magick.NET-Q16-HDRI-arm64 (NuGet)

nuget Magick.NET-Q16-HDRI-x64 (NuGet)

nuget Magick.NET-Q16-HDRI-x86 (NuGet)

nuget Magick.NET-Q16-OpenMP-arm64 (NuGet)

nuget Magick.NET-Q16-OpenMP-x64 (NuGet)

nuget Magick.NET-Q16-arm64 (NuGet)

nuget Magick.NET-Q16-x86 (NuGet)

nuget Magick.NET-Q8-AnyCPU (NuGet)

nuget Magick.NET-Q8-OpenMP-arm64 (NuGet)

nuget Magick.NET-Q8-OpenMP-x64 (NuGet)

nuget Magick.NET-Q8-arm64 (NuGet)

nuget Magick.NET-Q8-x64 (NuGet)

nuget Magick.NET-Q8-x86 (NuGet)

Summary

Magick fails to check for circular references between two MVGs, leading to a stack overflow.

Details

After reading mvg1 using Magick, the following is displayed:

./magick -limit memory 2GiB -limit map 2GiB -limit disk 0 mvg:L1.mvg out.png
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3564123==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x5589549a4458 bp 0x7ffcc61f34a0 sp 0x7ffcc61efdd0 T0)
    #0 0x5589549a4458 in GetImagePixelCache MagickCore/cache.c:1726
    #1 0x5589549b02c1 in QueueAuthenticPixelCacheNexus MagickCore/cache.c:4261
    #2 0x5589549a2f24 in GetAuthenticPixelCacheNexus MagickCore/cache.c:1368
    #3 0x5589549bae98 in GetCacheViewAuthenticPixels MagickCore/cache-view.c:311
    #4 0x558954afb3a5 in DrawPolygonPrimitive._omp_fn.1 MagickCore/draw.c:5172
    #5 0x7f62dd89fa15 in GOMP_parallel (/lib/x86_64-linux-gnu/libgomp.so.1+0x14a15)
    #6 0x558954ae0f41 in DrawPolygonPrimitive MagickCore/draw.c:5156
    #7 0x558954ae5607 in DrawPrimitive MagickCore/draw.c:5875
    #8 0x558954adc72d in RenderMVGContent MagickCore/draw.c:4522
    #9 0x558954adcf67 in DrawImage MagickCore/draw.c:4561
    #10 0x55895496cedb in RenderFreetype MagickCore/annotate.c:2065
    #11 0x55895496702e in RenderType MagickCore/annotate.c:1112
    #12 0x558954963da7 in AnnotateImage MagickCore/annotate.c:544
    #13 0x558954ae4e0a in DrawPrimitive MagickCore/draw.c:5799
    #14 0x558954adc72d in RenderMVGContent MagickCore/draw.c:4522
    #15 0x558954adcf67 in DrawImage MagickCore/draw.c:4561
    #16 0x558954755a46 in ReadMVGImage coders/mvg.c:240
    #17 0x558954a15ecc in ReadImage MagickCore/constitute.c:743
    #18 0x558954ae3c76 in DrawPrimitive MagickCore/draw.c:5705
    #19 0x558954adc72d in RenderMVGContent MagickCore/draw.c:4522
    #20 0x558954adcf67 in DrawImage MagickCore/draw.c:4561
    #21 0x558954755a46 in ReadMVGImage coders/mvg.c:240
    ...

Impact

This is a DoS vulnerability, and any situation that allows reading the mvg file will be affected.

References

  • GHSA-7rvh-xqp3-pr8j
  • https://nvd.nist.gov/vuln/detail/CVE-2025-68950
  • ImageMagick/ImageMagick@204718c

Published to the GitHub Advisory Database

Dec 30, 2025

Last updated

Dec 30, 2025

ghsa: Latest News

GHSA-95qg-89c2-w5hj: theshit vulnerable to unsafe loading of user-owned Python rules when running as root
ghsa