CVE-2019-10131
Description
An off-by-one read vulnerability in ImageMagick before 7.0.7-28 allows local attackers to read beyond buffer bounds or crash the program.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An off-by-one read vulnerability in ImageMagick before 7.0.7-28 allows local attackers to read beyond buffer bounds or crash the program.
Vulnerability
An off-by-one read vulnerability exists in ImageMagick versions before 7.0.7-28 in the formatIPTCfromBuffer function within coders/meta.c. The flaw occurs when processing IPTC data in the format8BIM function, where a buffer of size count is allocated but the code reads one byte beyond the allocated memory [1][2]. This is triggered when converting a specially crafted image file.
Exploitation
A local attacker can exploit this by providing a malicious image file that, when processed by ImageMagick (e.g., via the convert command), causes an out-of-bounds read. No special privileges are required beyond the ability to run ImageMagick on the crafted file. The valgrind output confirms an invalid read of size 1 at address 0 bytes after a block of size 11 [1].
Impact
Successful exploitation allows the attacker to read one byte beyond the allocated buffer, potentially leading to information disclosure of adjacent memory. In worst-case scenarios, this could cause a crash (denial of service). The read is limited to a single byte, but repeated exploitation could leak sensitive data.
Mitigation
The fix was committed in commit cb1214c124e1bd61f7dd551b94a794864861592e [2], which changes the allocation to count+1 to ensure sufficient space. Users should upgrade to ImageMagick version 7.0.7-28 or later. No workaround is available; the vulnerability is addressed by the patch.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12<7.0.7-28+ 1 more
- (no CPE)range: <7.0.7-28
- (no CPE)range: fixed in 7.0.7-28
- osv-coords10 versionspkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4
< 6.8.8.1-71.123.2+ 9 more
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Off-by-one read in formatIPTCfromBuffer due to insufficient bounds checking when reading IPTC data."
Attack vector
A local attacker supplies a crafted image file (PoC) that triggers the `convert` command to process it. During `WriteMETAImage`, the `format8BIM` function allocates a buffer and passes it to `formatIPTCfromBuffer`, which performs an off-by-one read of one byte beyond the allocated buffer. This can lead to a crash or information disclosure. No authentication or special privileges are required beyond the ability to run ImageMagick's `convert` on a malicious file.
Affected code
The off-by-one read occurs in the `formatIPTCfromBuffer` function in `coders/meta.c` (line 2084). The buffer is allocated in `format8BIM()` (line 2196) and the invalid read happens when `formatIPTCfromBuffer` is called from `format8BIM` (line 2227) during `WriteMETAImage` (line 2317).
What the fix does
The advisory does not include a patch diff. The recommended fix is to correct the bounds check in `formatIPTCfromBuffer` so that it does not read one byte past the end of the allocated buffer. The issue was resolved in ImageMagick version 7.0.7-28 and later.
Preconditions
- inputAttacker must provide a crafted image file that triggers the vulnerable code path.
- configVictim must run ImageMagick's convert (or similar tool) on the malicious file.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- lists.opensuse.org/opensuse-security-announce/2019-05/msg00051.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-07/msg00001.htmlmitrevendor-advisoryx_refsource_SUSE
- usn.ubuntu.com/4034-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.securityfocus.com/bid/108117mitrevdb-entryx_refsource_BID
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_CONFIRM
- github.com/ImageMagick/ImageMagick/commit/cb1214c124e1bd61f7dd551b94a794864861592emitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2020/08/msg00030.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.