CVE-2018-16641
Description
ImageMagick 7.0.8-6 has a memory leak in TIFFWritePhotoshopLayers when allocation fails because base_image is not freed before throwing exceptions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick 7.0.8-6 has a memory leak in TIFFWritePhotoshopLayers when allocation fails because base_image is not freed before throwing exceptions.
Vulnerability
In ImageMagick 7.0.8-6, the TIFFWritePhotoshopLayers function in coders/tiff.c has a memory leak vulnerability [1]. When memory allocation fails for clone_info, layers, custom_stream, or blob, the function calls ThrowBinaryException without first destroying the base_image object that was cloned at the start of the function (line 3122). This results in leaked memory because the exception path does not free base_image before returning [1]. The issue affects version 7.0.8-6 and possibly earlier versions [1].
Exploitation
An attacker can trigger this memory leak by providing a crafted TIFF image file to ImageMagick that causes memory allocation failures during the TIFF writing process, such as when converting or processing the file [1]. No special privileges are required beyond the ability to supply a malicious image to an application using ImageMagick. The leak occurs via the normal image processing flow without requiring any race condition [1].
Impact
Successful exploitation leads to a memory leak, which can degrade system performance over time and may lead to denial-of-service if sufficient memory is exhausted [1]. The impact is limited to memory consumption, with no disclosure, modification, or escalation of privileges [1].
Mitigation
The vulnerability is fixed in ImageMagick commit 256825d4eb33dc301496710d15cf5a7ae924088b, which adds calls to DestroyImage(base_image) before each ThrowBinaryException in the affected allocation failure paths [2]. Users should upgrade to a version containing this fix or apply the patch. No workaround is available if the fix cannot be applied [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Range: = 7.0.8-6
- osv-coords3 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015
< 7.1.0.9-1.1+ 2 more
- (no CPE)range: < 7.1.0.9-1.1
- (no CPE)range: < 7.0.7.34-3.24.1
- (no CPE)range: < 7.0.7.34-3.24.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing `DestroyImage(base_image)` on error paths in `TIFFWritePhotoshopLayers` causes a memory leak when allocation of subsequent resources fails."
Attack vector
An attacker provides a crafted TIFF image that triggers the `TIFFWritePhotoshopLayers` code path. When memory allocation for `clone_info`, `layers`, `custom_stream`, or `blob` fails (or when `base_image` itself is NULL), the function returns early via `ThrowBinaryException` without destroying the previously cloned `base_image` [ref_id=1]. Repeatedly submitting such images can exhaust available memory, leading to a denial-of-service condition. No authentication or special network access is required beyond the ability to supply a TIFF file to ImageMagick.
Affected code
The vulnerability resides in the `TIFFWritePhotoshopLayers` function in `coders/tiff.c` [ref_id=1]. When `CloneImage` succeeds at line 3122, `base_image` is allocated but is never freed on several error paths that call `ThrowBinaryException` (lines 3127, 3135, 3145, 3154) [ref_id=1]. The patch adds `base_image=DestroyImage(base_image)` before each of those `ThrowBinaryException` calls [ref_id=2].
What the fix does
The commit [ref_id=2] adds `base_image=DestroyImage(base_image);` before each of the three `ThrowBinaryException` calls that were missing this cleanup (lines 3131, 3141, 3150 in the patched file). This ensures that the `base_image` object cloned at line 3122 is properly freed on every error-exit path, closing the memory leak. The fix follows the same pattern already used for `clone_info`, `layers`, and `custom_stream` in the existing error-handling blocks [ref_id=1].
Preconditions
- inputAttacker must supply a TIFF image that reaches the TIFFWritePhotoshopLayers function
- authNo authentication or special privileges required
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/ImageMagick/ImageMagick/commit/256825d4eb33dc301496710d15cf5a7ae924088bmitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1206mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.