CVE-2018-11624
Description
A heap-use-after-free vulnerability in ImageMagick's ReadMATImage function allows denial of service via crafted MAT file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-use-after-free vulnerability in ImageMagick's ReadMATImage function allows denial of service via crafted MAT file.
Vulnerability
In ImageMagick 7.0.7-36 Q16, the ReadMATImage function in coders/mat.c contains a use-after-free vulnerability. The bug occurs when processing a crafted MAT file [1], triggering a read of freed memory in CloseBlob at blob.c:605 after an image object is destroyed prematurely [1]. The affected version is exactly 7.0.7-36 [1].
Exploitation
An attacker can exploit this vulnerability by supplying a specially crafted MAT file to ImageMagick. No special privileges or authentication are required; the attacker only needs the ability to invoke ImageMagick's identify or similar command on the malicious file [1]. The file is processed through IdentifyImageCommand, causing the use-after-free as shown in the AddressSanitizer trace [1].
Impact
Exploitation of this use-after-free leads to a read of freed memory, which can crash the application (denial of service) and may potentially allow arbitrary code execution or information disclosure, depending on heap state [1]. The affected process terminates with a segmentation fault or AddressSanitizer error [1].
Mitigation
The issue is fixed in ImageMagick versions released after 2018-05-31. Users should upgrade to a patched version of ImageMagick. No workaround is available other than avoiding processing untrusted MAT files. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: =7.0.7-36 Q16
- osv-coords2 versionspkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015
< 7.0.7.34-3.9.1+ 1 more
- (no CPE)range: < 7.0.7.34-3.9.1
- (no CPE)range: < 7.0.7.34-3.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Use-after-free in ReadMATImage where an image is freed via DeleteImageFromList but then accessed again through CloseBlob."
Attack vector
An attacker supplies a crafted MAT file that triggers a heap-use-after-free condition in `ReadMATImage` [ref_id=1]. During processing, an image is allocated (line 895) and later freed via `DeleteImageFromList` (line 1084), but the code continues to access the freed image's blob through `CloseBlob` (line 1088). The attacker needs only to provide the malicious file as input to the `identify` command or any ImageMagick operation that reads images; no special privileges or network access are required beyond local file access.
Affected code
The vulnerability resides in the `ReadMATImage` function in `coders/mat.c` (line 1088). The freed region originates from `DestroyImage` called via `DeleteImageFromList` at line 1084 of the same file, and the use-after-free read occurs in `CloseBlob` at `MagickCore/blob.c:605` [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies the crash site at `coders/mat.c:1088` where `CloseBlob` is called on an image that has already been freed at line 1084 via `DeleteImageFromList`. A correct fix would ensure that after an image is removed from the list, no further operations (such as `CloseBlob`) are performed on the freed image pointer, or that the image is not freed before all uses are complete.
Preconditions
- inputAttacker must supply a crafted .mat file that triggers the use-after-free code path in ReadMATImage
- configThe victim must run an ImageMagick command (e.g., 'magick identify') on the malicious file
Reproduction
Run `./magick identify ./poc` against the provided proof-of-concept file (poc.zip) [ref_id=1]. The AddressSanitizer output confirms a heap-use-after-free read of size 8 at `CloseBlob` (`blob.c:605`) after the image was freed at `coders/mat.c:1084` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/ImageMagick/ImageMagick/issues/1149mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.