CVE-2025-46393

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

—

Description

In multispectral MIFF image processing in ImageMagick before 7.1.1-44, packet_size is mishandled (related to the rendering of all channels in an arbitrary order).

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

community-verified Authored 2026-05-29

{

Immediate: Disable MIFF coder in policy.xml to prevent exploitation until patched.

<policymap>
  <policy domain="coder" rights="none" pattern="MIFF" />
</policymap>

Place in /etc/ImageMagick-7/policy.xml (or ~/.config/ImageMagick/ for user installs). Verify:

identify -list policy | grep -A2 MIFF

Permanent: Upgrade to 7.1.1-44 or apply commit a8f3c12. Restart any daemons invoking convert/mogrify.

Rollback: Remove the <policy> stanza and restart services. No data loss risk—purely restrictive.

}

OS impact

OS	Version	Status	Fixed in
debian	bookworm	fixed	`0`
debian	bullseye	fixed	`0`
debian	forky	fixed	`8:7.1.1.46+dfsg1-1`
debian	sid	fixed	`8:7.1.1.46+dfsg1-1`
debian	trixie	fixed	`8:7.1.1.43+dfsg1-1+deb13u1`
sles		affected

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.