VYPR
← All advisories
Unrated severityNVD Advisory· Published May 18, 2018· Updated Aug 5, 2024

CVE-2018-11251

CVE-2018-11251

Description

A heap-buffer-over-read in ImageMagick's ReadSUNImage in coders/sun.c allows denial of service via crafted SUN image file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-buffer-over-read in ImageMagick's ReadSUNImage in coders/sun.c allows denial of service via crafted SUN image file.

Vulnerability

In ImageMagick 7.0.7-23 Q16 x86_64 2018-01-24, the ReadSUNImage function in coders/sun.c contains a heap-based buffer over-read. When processing a specially crafted SUN image file, the over-read occurs in SetGrayscaleImage within MagickCore/quantize.c at line 3444, as shown in AddressSanitizer output [2]. This affects versions up to and including 7.0.7-23; the issue was later fixed in subsequent releases [1].

Exploitation

An attacker does not need authentication or elevated privileges — only the ability to provide a malicious SUN image file to a user or automated system using ImageMagick [1]. For exploitation, the attacker crafts a SUN image with invalid colormap indices, and when the image is processed (e.g., via magick buffer-overflow-SetGrayscaleImage /dev/null), the WriteSUNImage path triggers QuantizeImage, leading to the buffer over-read in SetGrayscaleImage [2].

Impact

Successful exploitation causes a denial of service — the application crashes (heap-buffer-overflow) due to an out-of-bounds read [2]. The description notes only a crash, but the Ubuntu advisory [1] indicates that code execution might also be possible, though this is not confirmed for this specific CVE. The attacker gains no additional privileges; the crash occurs with the privileges of the user running ImageMagick.

Mitigation

Ubuntu released updates for all supported releases (versions 8:6.9.7.4+dfsg-16ubuntu6.7 and later) in USN-3681-1 [1]. Users should upgrade to the fixed ImageMagick package provided by their distribution. No workaround is documented; disabling the SUN coder (e.g., via policy.xml) may prevent exposure until patching is complete.

References
  1. USN-3681-1: ImageMagick vulnerabilities | Ubuntu security notices | Ubuntu
  2. heap-buffer-overflow in SetGrayscaleImage

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"A heap-based buffer over-read occurs in the SetGrayscaleImage function when processing SUN image files."

Attack vector

An attacker can trigger this vulnerability by providing a specially crafted SUN image file to the ImageMagick application. The vulnerability is triggered during the processing of this image, specifically within the `SetGrayscaleImage` function, leading to an application crash. The crash is a result of a heap-based buffer over-read, as indicated by the ASAN output [ref_id=1].

Affected code

The vulnerability resides in the `ReadSUNImage` function within the `coders/sun.c` file. The issue manifests as a heap-based buffer over-read in the `SetGrayscaleImage` function, located in `MagickCore/quantize.c` [ref_id=1].

What the fix does

The patch addresses the heap-based buffer over-read by ensuring proper handling of image data within the `SetGrayscaleImage` function. While the specific patch details are not provided in the bundle, the advisory indicates that the vulnerability is resolved by correcting the logic that leads to the out-of-bounds read. This prevents the application from crashing due to memory corruption when processing malformed SUN images.

Preconditions

  • inputA crafted SUN image file.

Reproduction

magick buffer-overflow-SetGrayscaleImage /dev/null [ref_id=1]

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.