CVE-2017-18251
Description
A memory leak in ImageMagick 7.0.7's ReadPCDImage allows remote attackers to cause denial of service via a crafted file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in ImageMagick 7.0.7's ReadPCDImage allows remote attackers to cause denial of service via a crafted file.
Vulnerability
A memory leak vulnerability exists in ImageMagick 7.0.7 in the function ReadPCDImage in coders/pcd.c. The code allocates three buffers (chroma1, chroma2, luma) using AcquireQuantumMemory. If any allocation fails (returns NULL), the subsequent ThrowReaderException is called, but the previously allocated non-NULL buffers are not freed, causing a memory leak [2]. The issue is triggered when processing a specially crafted PCD file.
Exploitation
An attacker must craft a malformed PCD image file that triggers the memory allocation failure for at least one of the three buffers, while the other allocations succeed. The victim must open the crafted file using a vulnerable version of ImageMagick (e.g., via automatic processing or user interaction). No authentication or special network position is required beyond delivering the file [1].
Impact
Successful exploitation leads to a memory leak, gradually exhausting available memory and causing a denial of service (DoS). The leak does not directly lead to code execution, but repeated triggering could crash the application or affect system stability. The CIA impact is primarily availability [1][2].
Mitigation
The vulnerability is fixed in Ubuntu 18.04 LTS with ImageMagick package version 8:6.9.7.4+dfsg-16ubuntu6 [1]. Upgrading to a patched version of ImageMagick (7.0.7-2 or later) mitigates the issue. No workaround is listed in available references; users should update the software via their package manager or from the official ImageMagick repository.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11- Range: =7.0.7
- osv-coords10 versionspkg:rpm/suse/GraphicsMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/GraphicsMagick&distro=SUSE%20Studio%20Onsite%201.3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP3
< 1.2.5-78.47.1+ 9 more
- (no CPE)range: < 1.2.5-78.47.1
- (no CPE)range: < 1.2.5-78.47.1
- (no CPE)range: < 6.8.8.1-71.54.5
- (no CPE)range: < 6.4.3.6-78.45.1
- (no CPE)range: < 6.8.8.1-71.54.5
- (no CPE)range: < 6.4.3.6-78.45.1
- (no CPE)range: < 6.8.8.1-71.54.5
- (no CPE)range: < 6.4.3.6-78.45.1
- (no CPE)range: < 6.8.8.1-71.54.5
- (no CPE)range: < 6.8.8.1-71.54.5
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- usn.ubuntu.com/3681-1/mitrevendor-advisoryx_refsource_UBUNTU
- github.com/ImageMagick/ImageMagick/issues/809mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.