CVE-2025-65955Double Free in Imagemagick

CWE-415Double FreeCWE-416Use After FreeCWE-825Expired Pointer Dereference6 documents5 sources
Severity
6.1MEDIUMNVD
EPSS
0.0%
top 92.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
ImagemagickDebian Imagemagick
Timeline
PublishedDec 2
Latest updateDec 3

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-9 and 6.9.13-34, there is a vulnerability in ImageMagick’s Magick++ layer that manifests when Options::fontFamily is invoked with an empty string. Clearing a font family calls RelinquishMagickMemory on _drawInfo->font, freeing the font string but leaving _drawInfo->font pointing to freed memory while _drawInfo->family is set to that (now-invalid) pointer. Any later cleanup or reuse of _d

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:HExploitability: 1.8 | Impact: 4.2

Affected Packages4 packages

debiandebian/imagemagick< imagemagick 8:6.9.11.60+dfsg-1.6+deb12u5 (bookworm)
NVDimagemagick/imagemagick7.0.0-07.1.2-9+1
Debianimagemagick/imagemagick< 8:6.9.11.60+dfsg-1.3+deb11u8+3
CVEListV5imagemagick/imagemagick>= 7.0.1-0, < 7.1.2-9

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Withdrawn Advisory: ImageMagick has a use-after-free/double-free risk in Options::fontFamily when clearing family2025-12-03
GHSA
Withdrawn Advisory: ImageMagick has a use-after-free/double-free risk in Options::fontFamily when clearing family2025-12-03
OSV
CVE-2025-65955: ImageMagick is free and open-source software used for editing and manipulating digital images2025-12-02

📋Vendor Advisories

2
Red Hat
imagemagick: ImageMagick use-after-free/double-free2025-12-02
Debian
CVE-2025-65955: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d...2025