CVE-2025-57803: 
C# vulnerability analysis and mitigation

CVE-2025-57803 affects ImageMagick's 32-bit builds prior to versions 7.1.2-2 and 6.9.13-28. The vulnerability was discovered and disclosed on August 26, 2025, impacting the BMP encoder functionality in ImageMagick, a free and open-source software used for editing and manipulating digital images (NVD, Security Online).

The vulnerability stems from a 32-bit integer overflow in the BMP encoder's scanline-stride computation. When processing images with a width of at least 178,956,970 pixels, the bytesperline (stride) calculation collapses to a small value while the per-row writer continues to emit 3 × width bytes for 24-bpp images. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) by NVD and 7.5 (High) by GitHub, with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

The vulnerability can lead to heap corruption and potentially remote code execution. When exploited, it allows attacker-controlled data to overflow into adjacent heap memory, providing a powerful primitive for heap corruption in common auto-convert pipelines. The issue is particularly dangerous in scenarios where user-supplied images are automatically converted or processed server-side, such as web applications using ImageMagick in file upload pipelines, automated thumbnail generators, and normalization processes in content management systems (Security Online).

The vulnerability has been patched in ImageMagick versions 6.9.13-28 and 7.1.2-2. Users running 32-bit builds must upgrade to these versions or later. The fix includes additional checks around stride computation and enforces a per-row invariant to ensure the number of bytes emitted per row always fits within the computed stride (GitHub Advisory, Magick.NET).