CVE-2025-57807

Publication date 5 September 2025

Last updated 19 September 2025

Ubuntu priority

Cvss 3 Severity Score

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. ImageMagick versions lower than 14.8.2 include insecure functions: SeekBlob(), which permits advancing the stream offset beyond the current end without increasing capacity, and WriteBlob(), which then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required. This is fixed in version 14.8.2.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
imagemagick	25.10 questing	Not affected
	25.04 plucky	Vulnerable
	24.04 LTS noble	Fixed 8:6.9.12.98+dfsg1-5.2ubuntu0.1~esm2
	22.04 LTS jammy	Fixed 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5+esm3
	20.04 LTS focal	Fixed 8:6.9.10.23+dfsg-2.1ubuntu11.11+esm3
	18.04 LTS bionic	Fixed 8:6.9.7.4+dfsg-16ubuntu6.15+esm5
	16.04 LTS xenial	Fixed 8:6.8.9.9-7ubuntu5.16+esm13
	14.04 LTS trusty	Fixed 8:6.7.7.10-6ubuntu3.13+esm14

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Severity score breakdown

Parameter	Value
Base score	3.8 · Low
Attack vector	Local
Attack complexity	High
Privileges required	High
User interaction	Required
Scope	Unchanged
Confidentiality	Low
Integrity impact	Low
Availability impact	Low
Vector	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

References

Related Ubuntu Security Notices (USN)

USN-7756-1
ImageMagick vulnerabilities
18 September 2025