CVE-2017-17914

Vulnerability

The vulnerability resides in the function ReadOnePNGImage in coders/png.c in ImageMagick version 7.0.7-16 Q16. When processing a specially crafted MNG image file, the function enters a large loop causing excessive CPU and memory consumption. The issue is triggered by the magick convert command with the crafted file [2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious MNG image file and tricking a user or automated system into processing it with ImageMagick. No authentication is required; only the ability to deliver the file to the victim (e.g., via email, website upload). The victim running magick convert ./crafted.mng /dev/null will cause ImageMagick to enter an infinite loop in coders/png.c at line 7408, leading to resource exhaustion [2].

Impact

Successful exploitation results in a denial of service (DoS) condition, where the affected system experiences 100% CPU usage and memory consumption, potentially causing the system to become unresponsive or crash [2]. The vulnerability does not lead to code execution or data compromise according to the available references.

Mitigation

The official fix was released in ImageMagick versions after 7.0.7-16. Ubuntu provided updates in USN-3681-1 for affected Ubuntu releases [1]. Users should update to the latest patched version. As a workaround, avoid processing untrusted MNG files with ImageMagick. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.