Medium severity6.5NVD Advisory· Published Jul 21, 2017· Updated May 13, 2026

CVE-2017-11505

Description

A malformed JNG file can cause high CPU consumption in ImageMagick's ReadOneJNGImage function due to a controllable large loop.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A malformed JNG file can cause high CPU consumption in ImageMagick's ReadOneJNGImage function due to a controllable large loop.

Vulnerability

The vulnerability resides in the ReadOneJNGImage function in coders/png.c of ImageMagick through versions 6.9.9-0 and 7.0.6-1. A large loop at line 4383 iterates based on a length value read from the file via ReadBlobMSBLong at line 4362, which can be set to an arbitrary 32-bit value by a crafted JNG file. This leads to excessive attempted reads, causing CPU exhaustion [1].

Exploitation

An attacker can exploit this by supplying a specially crafted JNG file (e.g., the provided testcase [1]) to a victim who processes the file with ImageMagick (e.g., using magick identify). No authentication or special network position is required beyond delivering the file through standard means (email, web upload, etc.). The large loop causes many failed I/O operations, consuming CPU resources [1].

Impact

Successful exploitation results in a denial of service (DoS) condition via high CPU consumption. No data confidentiality, integrity, or additional access is compromised; the primary impact is resource exhaustion leading to degraded performance or service unavailability for the process using ImageMagick [1].

Mitigation

ImageMagick has addressed this in subsequent releases (version 7.0.6-2 and later, and likely a patched 6.9.x version). Users should upgrade to a fixed version. If upgrading is not immediately possible, avoid processing untrusted JNG files or restrict file upload handling to limit exposure [1].

References

CPU exhaustion in ReadOneJNGImage

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

ImageMagick/Imagemagick60 versions
cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*+ 59 more
- cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*range: <=6.9.9-0
- cpe:2.3:a:imagemagick:imagemagick:7.0.0-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-2:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-5:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-6:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-7:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-8:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-9:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-2:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-5:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-6:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-7:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-8:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-9:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-2:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-5:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-6:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-7:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-8:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-9:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-2:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-5:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-6:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-7:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-8:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-9:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.5-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.5-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.5-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.5-2:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.5-3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.5-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.5-5:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.5-6:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.5-7:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.5-8:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.5-9:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.6-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.6-1:*:*:*:*:*:*:*
- (no CPE)range: 6.9.9-0 and 7.0.6-1
osv-coords16 versions
pkg:rpm/suse/GraphicsMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4 pkg:rpm/suse/GraphicsMagick&distro=SUSE%20Studio%20Onsite%201.3 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP3
< 1.2.5-4.78.33.1+ 15 more
- (no CPE)range: < 1.2.5-4.78.33.1
- (no CPE)range: < 1.2.5-4.78.33.1
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.4.3.6-7.78.29.2
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.4.3.6-7.78.29.2
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.4.3.6-7.78.29.2
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.8.8.1-71.33.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/ImageMagick/ImageMagick/issues/526nvdExploitThird Party Advisory
bugs.debian.org/cgi-bin/bugreport.cginvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000