CVE-2018-10177
Description
ImageMagick 7.0.7-28 contains an infinite loop in ReadOneMNGImage, allowing denial of service via a crafted MNG file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick 7.0.7-28 contains an infinite loop in ReadOneMNGImage, allowing denial of service via a crafted MNG file.
Vulnerability
In ImageMagick version 7.0.7-28, the ReadOneMNGImage function in coders/png.c contains an infinite loop. The loop condition checks LocaleCompare(image_info->magick,"MNG") == 0 but image_info is never updated inside the loop, causing it to run indefinitely when processing a specially crafted MNG file [2]. This affects the MNG decoder path.
Exploitation
An attacker can trigger the vulnerability by providing a malicious MNG file to any ImageMagick tool that processes images (e.g., convert). No authentication is required; the attacker only needs to convince a user or automated system to open the crafted file. The file triggers the infinite loop upon parsing, leading to a denial of service.
Impact
Successful exploitation results in a denial of service: the ImageMagick process hangs indefinitely, consuming CPU resources. The vulnerability does not appear to allow code execution or information disclosure based on the available references [1][2].
Mitigation
The fix is included in ImageMagick versions after 7.0.7-28. Ubuntu released updates in USN-3681-1 [1] for Ubuntu 18.04 LTS and other releases. Users should update their ImageMagick packages to the latest version. No workaround is documented; the only mitigation is to apply the patch.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11- Range: = 7.0.7-28
- osv-coords10 versionspkg:rpm/suse/GraphicsMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/GraphicsMagick&distro=SUSE%20Studio%20Onsite%201.3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP3
< 1.2.5-78.52.1+ 9 more
- (no CPE)range: < 1.2.5-78.52.1
- (no CPE)range: < 1.2.5-78.52.1
- (no CPE)range: < 6.8.8.1-71.54.5
- (no CPE)range: < 6.4.3.6-78.45.1
- (no CPE)range: < 6.8.8.1-71.54.5
- (no CPE)range: < 6.4.3.6-78.45.1
- (no CPE)range: < 6.8.8.1-71.54.5
- (no CPE)range: < 6.4.3.6-78.45.1
- (no CPE)range: < 6.8.8.1-71.54.5
- (no CPE)range: < 6.8.8.1-71.54.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing update of `image_info` inside a loop causes an infinite loop in `ReadOneMNGImage`."
Attack vector
An attacker provides a specially crafted MNG file to ImageMagick. When the `convert` utility (or any image-reading path) processes this file, the `ReadOneMNGImage` function enters a `do...while` loop whose termination condition depends on `image_info->magick`. Because `image_info` is never modified inside the loop, the condition never becomes false, causing an infinite loop and a denial of service [ref_id=1]. No authentication or special privileges are required; the attacker only needs to deliver the malicious file to a victim or service that processes images with ImageMagick.
Affected code
The vulnerability resides in the `ReadOneMNGImage` function in `coders/png.c` (line 7428). The loop condition `LocaleCompare(image_info->magick,"MNG") == 0` never updates `image_info` inside the loop body, causing an infinite loop when processing a crafted MNG file [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the issue is clearly identified: the loop at line 7428 checks `LocaleCompare(image_info->magick,"MNG") == 0` while `image_info` is never updated within the loop body [ref_id=1]. A proper fix would either update `image_info` inside the loop (e.g., by reassigning it from the current frame's image info) or change the loop condition to a different termination criterion that does not depend on an unchanging value. Without such a change, any MNG file that reaches this loop will cause an infinite hang.
Preconditions
- inputVictim must process a crafted MNG file using ImageMagick (e.g., via the convert utility).
- networkNo authentication or special network access required; file can be delivered via any means (email, upload, etc.).
Reproduction
1. Check out ImageMagick commit 11a3594 and compile with libpng support. 2. Obtain the proof-of-concept MNG file (attached as `imagemagick_7-0-7_convert_infinite-loop_ReadOneMNGImage.mng.zip` in the issue). 3. Run: `./bin/convert $POC /tmp/null.png` 4. Observe that the process hangs indefinitely due to an infinite loop in `ReadOneMNGImage` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- usn.ubuntu.com/3681-1/mitrevendor-advisoryx_refsource_UBUNTU
- github.com/ImageMagick/ImageMagick/issues/1095mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2020/08/msg00030.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.