CVE-2019-11598
Description
Heap-based buffer over-read in ImageMagick's WritePNMImage allows DoS or info disclosure via crafted PNM file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap-based buffer over-read in ImageMagick's WritePNMImage allows DoS or info disclosure via crafted PNM file.
Vulnerability
In ImageMagick 7.0.8-40 Q16, the function WritePNMImage in coders/pnm.c contains a heap-based buffer over-read. This occurs when processing a specially crafted PNM file, leading to a read beyond the allocated buffer. The over-read is triggered via the SetGrayscaleImage function in MagickCore/quantize.c, which accesses memory beyond the allocated quantum region [1].
Exploitation
An attacker can exploit this vulnerability by providing a crafted PNM image file to the victim. The victim must process the file using ImageMagick (e.g., magick convert). No special authentication or network position is required; the attacker only needs to deliver the malicious file. The issue is triggered during the conversion process, specifically when WritePNMImage calls SetGrayscaleImage after a prior allocation of insufficient size [1].
Impact
Successful exploitation can lead to a denial of service (crash) or possible information disclosure due to the heap-based buffer over-read [1]. The attacker may cause ImageMagick to read out-of-bounds memory, potentially leaking sensitive data from adjacent memory regions. No remote code execution is indicated in the references.
Mitigation
The vulnerability was reported on GitHub but as of the CVE publication date (2019-04-29), no official patch had been released. Users are advised to apply any subsequent updates from ImageMagick. If a fix is available in a later version (e.g., 7.0.8-41 or higher), upgrade accordingly. Otherwise, avoid processing untrusted PNM files [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
18= 7.0.8-40+ 1 more
- (no CPE)range: = 7.0.8-40
- (no CPE)range: = 7.0.8-40 Q16
- osv-coords16 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4
< 7.0.7.34-lp151.7.3.1+ 15 more
- (no CPE)range: < 7.0.7.34-lp151.7.3.1
- (no CPE)range: < 7.0.7.34-lp151.7.3.1
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 7.0.7.34-3.61.3
- (no CPE)range: < 7.0.7.34-3.61.3
- (no CPE)range: < 7.0.7.34-3.61.3
- (no CPE)range: < 7.0.7.34-3.61.3
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Heap-based buffer over-read in SetGrayscaleImage when processing a crafted image, triggered via WritePNMImage."
Attack vector
An attacker provides a specially crafted image file that, when processed by ImageMagick's `convert` utility (or any path that calls `WritePNMImage`), triggers a heap-buffer-overflow read in `SetGrayscaleImage` at `MagickCore/quantize.c:3453` [ref_id=1]. The overflow occurs because the allocated memory region is only 4 bytes, but the read operation attempts to access 8 bytes, reading 0 bytes to the right of the allocated region [ref_id=1]. The attack requires no special privileges — the victim only needs to run `magick convert $poc ./test.pnm` on the malicious file [ref_id=1].
Affected code
The vulnerability resides in `SetGrayscaleImage` at `MagickCore/quantize.c:3453`, called from `WritePNMImage` in `coders/pnm.c:1938` [ref_id=1]. The call chain is: `WritePNMImage` → `SetImageType` → `QuantizeImage` → `SetGrayscaleImage` [ref_id=1]. The heap-buffer-overflow read occurs at line 3453 of `quantize.c` in the OpenMP-parallelized function `SetGrayscaleImage._omp_fn.4` [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies the bug as a heap-buffer-overflow in `SetGrayscaleImage` (`MagickCore/quantize.c:3453`) called from `WritePNMImage` (`coders/pnm.c:1938`). The reporter did not provide a fix; the remediation would require the ImageMagick maintainers to add bounds checking in `SetGrayscaleImage` to ensure the read does not exceed the allocated buffer size when processing grayscale conversion.
Preconditions
- inputVictim must process a crafted image file with ImageMagick's convert command (or any code path invoking WritePNMImage).
- networkNo authentication or special network access required; the attacker only needs to deliver the malicious file.
Reproduction
1. Obtain the proof-of-concept file (referenced as "poc" in the issue). 2. Run: `magick convert $poc ./test.pnm` 3. AddressSanitizer reports a heap-buffer-overflow read of size 8 at `MagickCore/quantize.c:3453` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- lists.opensuse.org/opensuse-security-announce/2019-06/msg00057.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-07/msg00001.htmlmitrevendor-advisoryx_refsource_SUSE
- usn.ubuntu.com/4034-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4712mitrevendor-advisoryx_refsource_DEBIAN
- www.securityfocus.com/bid/108102mitrevdb-entryx_refsource_BID
- github.com/ImageMagick/ImageMagick/issues/1540mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/05/msg00015.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2020/09/msg00007.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.