CVE-2017-18209

Vulnerability

A NULL pointer dereference vulnerability exists in ImageMagick 7.0.7 and possibly earlier versions, residing in the GetOpenCLCachedFilesDirectory function in magick/opencl.c. The flaw occurs because the return value of AcquireMagickMemory() is not checked before being used; if memory allocation fails, the resulting NULL pointer is passed to CopyMagickString(), causing a crash [2]. The vulnerable code path is triggered when the GetOpenCLCacheDirectory function is invoked, typically during processing of certain malformed image files under OpenCL-enabled configurations [1].

Exploitation

An attacker must craft a malicious image file that, when processed by a vulnerable ImageMagick instance, causes the vulnerable code path to execute. No special authentication or network position is required beyond delivering the file to the target (e.g., via email or upload). User interaction is needed—a user or automated system must open the crafted image with ImageMagick. The attack does not require any race condition or privilege escalation; it relies solely on triggering the memory allocation failure and subsequent NULL pointer dereference [1][2].

Impact

Successful exploitation results in a denial of service (DoS) via application crash due to the segmentation fault caused by dereferencing NULL. The vulnerability does not yield code execution or information disclosure; it only affects availability [1][2]. The crash occurs with the privileges of the user running ImageMagick.

Mitigation

The vulnerability is fixed in ImageMagick versions released after the issue was reported. Ubuntu released a security update (USN-3681-1) on 2018-03-05, updating the imagemagick package to versions that include the fix [1]. Users should update to the latest patched version of ImageMagick. As a workaround, disabling OpenCL support or applying file validation to block malformed images can reduce risk, but the recommended mitigation is to apply the available patch [1].