CVE-2018-11625
Description
A heap-buffer-over-read in ImageMagick's SetGrayscaleImage function allows attackers to cause a denial of service or information disclosure via a crafted file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-buffer-over-read in ImageMagick's SetGrayscaleImage function allows attackers to cause a denial of service or information disclosure via a crafted file.
Vulnerability
In ImageMagick 7.0.7-37 Q16, the SetGrayscaleImage function in quantize.c contains a heap-buffer-over-read vulnerability. When processing a specially crafted file, the function reads beyond the allocated buffer boundary, leading to undefined behavior. The issue is triggered during image conversion operations, such as converting the crafted file to GIF, MAGICK, MAP, PNM, SUN, or XPM formats [1].
Exploitation
An attacker can exploit this vulnerability by providing a malicious image file to a user or service that processes images with ImageMagick. No authentication or special privileges are required; the victim only needs to open or convert the crafted file using ImageMagick's convert command or similar tools. The over-read occurs during the grayscale quantization step, as shown in the AddressSanitizer trace where SetGrayscaleImage reads 8 bytes at an address just past the allocated region [1].
Impact
Successful exploitation results in a heap-buffer-over-read, which can cause a crash (denial of service) or potentially leak sensitive memory contents (information disclosure). The impact is limited to the confidentiality and availability of the affected system; no remote code execution has been demonstrated for this specific issue [1].
Mitigation
The vulnerability was reported and fixed in a subsequent commit to the ImageMagick repository. Users should upgrade to a version of ImageMagick later than 7.0.7-37. As of the publication date, no workaround is available other than avoiding the processing of untrusted image files with the affected version [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: 7.0.7-37 Q16
- osv-coords2 versionspkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015
< 7.0.7.34-3.9.1+ 1 more
- (no CPE)range: < 7.0.7.34-3.9.1
- (no CPE)range: < 7.0.7.34-3.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Heap-buffer-overflow read in SetGrayscaleImage due to an off-by-one or missing bounds check when accessing the grayscale lookup table."
Attack vector
An attacker provides a crafted image file that, when converted to certain output formats (e.g., GIF, XPM, MAP, SUN, PNM, MAGICK), triggers a heap-buffer-overflow read in `SetGrayscaleImage` [ref_id=1]. The overflow is a read of 8 bytes at the right boundary of a 524280-byte heap buffer, as shown by AddressSanitizer output [ref_id=1]. No authentication or special privileges are required; the attacker only needs to supply the malicious file to the `convert` command.
Affected code
The heap-buffer-overflow occurs in `SetGrayscaleImage` in `MagickCore/quantize.c` at line 3444 (the `_omp_fn.4` OpenMP parallel region). The allocation happens at line 3322 of the same file via `AcquireQuantumMemory` [ref_id=1].
What the fix does
The issue report does not include a patch or a fix commit [ref_id=1]. The advisory only describes the crash and the affected code path. No remediation guidance is provided in the reference; users should monitor the ImageMagick project for a future fix addressing the out-of-bounds read in `SetGrayscaleImage` at `quantize.c:3444`.
Preconditions
- inputAttacker must supply a crafted image file that triggers the heap-buffer-overflow when converted
- configVictim must run ImageMagick 7.0.7-37 Q16 and attempt to convert the file to a format such as GIF or XPM
Reproduction
The reference includes steps to reproduce: run `./magick convert ./poc output.gif` or `./magick convert ./poc output.xpm` with the crafted POC file [ref_id=1]. The POC file is provided as `poc.zip` in the issue attachment [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- usn.ubuntu.com/3681-1/mitrevendor-advisoryx_refsource_UBUNTU
- github.com/ImageMagick/ImageMagick/issues/1156mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.