High severity8.8NVD Advisory· Published Aug 23, 2017· Updated May 13, 2026

CVE-2017-13146

Description

Memory leak in ImageMagick's ReadMATImage function allows denial of service via crafted MAT file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Memory leak in ImageMagick's ReadMATImage function allows denial of service via crafted MAT file.

Vulnerability

A memory leak exists in ImageMagick before version 6.9.8-5 and version 7.x before 7.0.5-6 in the ReadMATImage function within coders/mat.c. The leak occurs because the QuantumInfo structure is not properly initialized to NULL before use, and DestroyQuantumInfo is called without first checking if the pointer is non-null. This affects the parsing of MATLAB MAT image files. Versions prior to the fix are vulnerable when processing specially crafted .mat files [1].

Exploitation

An attacker can trigger this vulnerability by supplying a maliciously crafted MATLAB .mat file to an application using ImageMagick for image processing. No special privileges are required; the user or service processing the file must open it with ImageMagick. The exploit does not require authentication or network access beyond delivering the file. The sequence involves the ReadMATImage code path, where a failure to initialize quantum_info leads to calling DestroyQuantumInfo on an uninitialized pointer, causing a memory leak [1].

Impact

Successful exploitation results in a memory leak, which can exhaust system memory over repeated operations, leading to a denial of service (DoS) condition. The vulnerability does not directly allow code execution or data theft, but the memory exhaustion can cause instability or crash the application, affecting availability [2].

Mitigation

ImageMagick version 6.9.8-5 and version 7.0.5-6 contain the fix. Users should upgrade to these or later versions. For details, see the commit [1] and Gentoo advisory GLSA 201711-07 [2]. No workaround is available; updating is the recommended mitigation.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

ImageMagick/Imagemagick50 versions
cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*+ 49 more
- cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*range: <=6.9.8-4
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-2:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-5:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-6:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-7:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-8:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-9:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-2:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-5:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-6:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-7:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-8:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.2-9:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-2:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-5:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-6:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-7:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-8:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-9:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-2:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-5:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-6:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-7:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-8:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.4-9:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.5-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.5-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.5-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.5-5:*:*:*:*:*:*:*
- (no CPE)range: <6.9.8-5, >=7.0.0 <7.0.5-6
osv-coords14 versions
pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP3
< 6.8.8.1-71.26.1+ 13 more
- (no CPE)range: < 6.8.8.1-71.26.1
- (no CPE)range: < 6.8.8.1-71.26.1
- (no CPE)range: < 6.4.3.6-7.78.22.1
- (no CPE)range: < 6.8.8.1-71.26.1
- (no CPE)range: < 6.8.8.1-71.26.1
- (no CPE)range: < 6.8.8.1-71.26.1
- (no CPE)range: < 6.4.3.6-7.78.22.1
- (no CPE)range: < 6.8.8.1-71.26.1
- (no CPE)range: < 6.8.8.1-71.26.1
- (no CPE)range: < 6.4.3.6-7.78.22.1
- (no CPE)range: < 6.8.8.1-71.26.1
- (no CPE)range: < 6.8.8.1-71.26.1
- (no CPE)range: < 6.8.8.1-71.26.1
- (no CPE)range: < 6.8.8.1-71.26.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/ImageMagick/ImageMagick/commit/79e5dbcdd1fc2f714f9bae548bc55d5073f3ed20nvdPatchVendor Advisory
bugs.debian.org/cgi-bin/bugreport.cginvdIssue TrackingThird Party Advisory
security.gentoo.org/glsa/201711-07nvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000