VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 5, 2018· Updated Aug 5, 2024

CVE-2018-5246

CVE-2018-5246

Description

Memory leak vulnerability in ImageMagick 7.0.7-17 Q16 via ReadPATTERNImage, leading to denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Memory leak vulnerability in ImageMagick 7.0.7-17 Q16 via ReadPATTERNImage, leading to denial of service.

Vulnerability

In ImageMagick 7.0.7-17 Q16, a memory leak exists in the ReadPATTERNImage function within coders/pattern.c. The issue is triggered when processing a malformed or unrecognized pattern file (e.g., poc.pattern). The CloneImageInfo call at line 966 in pattern.c allocates memory that is not properly freed upon error, resulting in a memory leak. Affected versions include ImageMagick 7.0.7-17 Q16 and possibly earlier versions [1].

Exploitation

An attacker can exploit this vulnerability by providing a crafted pattern file to the magick montage command (or any command that triggers ReadPATTERNImage). No authentication or special network position is required; the attacker only needs to convince a user to process the malicious file. The leak is demonstrated when ImageMagick attempts to read the file and fails due to unrecognized format, as shown in the reference [1] stack trace.

Impact

Successful exploitation leads to memory exhaustion over time, potentially causing a denial of service condition. The leak is detected by LeakSanitizer as direct and indirect memory leaks totaling over 13KB per operation. Repeated processing of such files could exhaust available memory, impacting system stability [1].

Mitigation

The official fix was released in ImageMagick version 7.0.7-19 on 2018-01-13. Users should upgrade to this version or later. No workarounds are documented; processing untrusted image files should be avoided until patching [1].

References
  1. memory leaks

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

15

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `ReadPATTERNImage` function in `coders/pattern.c` fails to properly deallocate memory, leading to leaks when processing malformed pattern files."

Attack vector

An attacker can trigger memory leaks by providing a specially crafted pattern file to ImageMagick. The `montage` command, when processing this malformed pattern file, calls the vulnerable `ReadPATTERNImage` function. This leads to a denial-of-service condition due to excessive memory consumption. [ref_id=1]

Affected code

The vulnerability resides in the `ReadPATTERNImage` function located in the `coders/pattern.c` file. The memory leaks are observed during the processing of pattern files, as indicated by the stack traces showing allocations within this function that are not subsequently freed. [ref_id=1]

What the fix does

The patch addresses memory leaks by ensuring that allocated memory is properly freed within the `ReadPATTERNImage` function. Specifically, it adds necessary cleanup steps to release resources that were previously left un-deallocated, preventing the accumulation of leaked memory and resolving the denial-of-service vulnerability. The advisory does not specify the exact patch ID or file changes.

Preconditions

  • inputThe attacker must provide a malformed pattern file.

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.