LiveActive security incident?Get immediate response
CVE Record

CVE-2025-65955: ImageMagick has a use-after-free/double-free risk in Options::fontFamily when clearing family

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-9 and 6.9.13-34, there is a vulnerability in ImageMagick’s Magick++ layer that manifests when Options::fontFamily is invoked with an empty string. Clearing a font family calls RelinquishMagickMemory on _drawInfo->font, freeing the font string but leaving _drawInfo->font pointing to freed memory while _drawInfo->family is set to that (now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font re-frees or dereferences dangling memory. DestroyDrawInfo and other setters (Options::font, Image::font) assume _drawInfo->font remains valid, so destruction or subsequent updates trigger crashes or heap corruption. This vulnerability is fixed in 7.1.2-9 and 6.9.13-34.

MediumCVSS 4.9Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

ImageMagick versions before 7.1.2-9 and 6.9.13-34 can mishandle memory when Magick++ clears a font family. The documented impact is crash or heap corruption, with limited confidentiality, integrity, and availability impact. This is not listed as KEV, and the provided sources do not show active exploitation.

Executive priority

Treat as a moderate patching item. Accelerate remediation for production services that depend on ImageMagick Magick++ drawing or font handling, but the supplied evidence does not justify emergency response on its own.

Technical view

In Magick++, calling Options::fontFamily with an empty string can free _drawInfo->font while leaving stale pointers in _drawInfo->font and _drawInfo->family. Later destruction or font updates may dereference or free invalid memory, creating CWE-415/CWE-416 conditions. Fixed releases are 7.1.2-9 and 6.9.13-34.

Likely exposure

Exposure is most likely in applications or libraries using ImageMagick Magick++ font APIs, especially code paths that clear font family settings. The source bundle does not show this as a general image-file parsing flaw or confirm remote reachability.

Exploitation context

CVSS is 4.9 with local attack vector and high attack complexity. KEV is false. The supplied sources support crash or heap corruption risk, but do not provide evidence of public exploitation, weaponized exploit code, or broad remote attack paths.

Researcher notes

The key condition is Options::fontFamily invoked with an empty string, causing stale _drawInfo pointers and later cleanup or setter failures. Evidence is incomplete for distro backports, real-world reachability, and exploitation beyond crash or heap corruption.

Mitigation direction

  • Upgrade ImageMagick to 7.1.2-9, 6.9.13-34, or later.
  • Check vendor or distribution advisories for backported fixed packages.
  • Prioritize systems using Magick++ font or drawing APIs.
  • Redeploy containers and bundled applications carrying affected ImageMagick versions.
  • Monitor ImageMagick advisories for any revised exploitability guidance.

Validation and detection

  • Inventory ImageMagick versions across hosts, containers, and application bundles.
  • Confirm deployed versions are not below 7.1.2-9 or 6.9.13-34.
  • Review SBOMs and package lockfiles for embedded ImageMagick dependencies.
  • Check code for Magick++ fontFamily, font, or drawing option usage.
  • Run non-offensive regression tests around font setting and cleanup paths.
Prepared
Confidence
high
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-415: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · low confidence lookup

CWE-416: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-65955 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
4.9 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
4Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
4.9CVSS 3.1MediumCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L1.43.4GitHub_M

Vulnerability scoring details

Base CVSS 3.1 score

4.9Medium
CVSS 3.1 vector shape for CVE-2025-65955Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
ImageMagickImageMagick>= 7.0.1-0, < 7.1.2-9, < 6.9.13-34Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-415 · source CWE mapping

Double Free

Double Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

CWE-416 · source CWE mapping

Use After Free

Use After Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.