CVE-2019-13133
Description
ImageMagick before 7.0.8-50 contains a memory leak in ReadBMPImage that can be triggered via a crafted BMP file, leading to resource exhaustion.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick before 7.0.8-50 contains a memory leak in ReadBMPImage that can be triggered via a crafted BMP file, leading to resource exhaustion.
Vulnerability
ImageMagick versions prior to 7.0.8-50 contain a memory leak vulnerability in the ReadBMPImage function within coders/bmp.c. The issue arises from incorrect error handling when GetNextImageInList(image) returns NULL: the original code returns without releasing the image list, causing a memory leak [1]. The affected code path is reachable when processing a crafted BMP file that causes the multi-frame read loop to fail. The same pattern exists in ReadVIFFImage in coders/viff.c [1].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted BMP image to an application using ImageMagick. No authentication or special network position is required if the application accepts user-supplied images. The erroneous code path triggers when the image read loop encounters a failure condition, leading to the leak on each unsuccessful attempt [1].
Impact
Successful exploitation causes a memory leak, which can lead to resource exhaustion and denial of service (DoS). The impact is limited to availability, as an attacker can cause the consuming application to run out of memory over repeated processing of malicious images [1].
Mitigation
The vulnerability is fixed in ImageMagick version 7.0.8-50. The commit fe3066122ef72c82415811d25e9e3fad622c0a99 corrects the logic by replacing the premature return with a break statement and setting a status flag, ensuring the image list is properly cleaned up [2]. Users should upgrade to version 7.0.8-50 or later. No workaround is documented; processing untrusted BMP files should be avoided until the patch is applied.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13- ImageMagick/ImageMagickdescription
- Range: <7.0.8-50
- osv-coords11 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4
< 7.0.7.34-lp151.7.9.1+ 10 more
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing cleanup of the current image when GetNextImageInList returns NULL causes a memory leak in ReadBMPImage and ReadVIFFImage."
Attack vector
An attacker provides a crafted BMP or VIFF image file that causes `GetNextImageInList(image)` to return NULL during multi-frame processing [ref_id=1]. When this occurs, the original code path returns NULL without freeing the current image, leaking memory [ref_id=2]. The attacker does not need authentication; the bug is triggered simply by having ImageMagick process the malicious image file via any tool that uses the affected coders.
Affected code
The vulnerability is in the `ReadBMPImage` function in `coders/bmp.c` and the `ReadVIFFImage` function in `coders/viff.c` [ref_id=1]. In both functions, when `GetNextImageInList(image)` returns NULL, the original code either returned NULL directly (in `ReadBMPImage`) or called `DestroyImageList(image)` and then returned NULL (in `ReadVIFFImage`), without properly cleaning up the current image or breaking out of the loop [ref_id=2].
What the fix does
The patch [ref_id=2] changes both `ReadBMPImage` and `ReadVIFFImage` so that when `GetNextImageInList(image)` returns NULL, the code sets `status=MagickFalse` and uses `break` instead of returning NULL (or destroying the list and returning NULL). This ensures the loop exits cleanly and the current image is not leaked. The fix corrects an earlier incomplete patch (3b48d20) that still returned NULL in `ReadBMPImage` without freeing the image [ref_id=1].
Preconditions
- inputThe attacker must supply a crafted BMP or VIFF image file that triggers the NULL return from GetNextImageInList.
- configThe victim must process the malicious image using ImageMagick (version before 7.0.8-50) via any tool that invokes ReadBMPImage or ReadVIFFImage.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.htmlmitrevendor-advisoryx_refsource_SUSE
- github.com/ImageMagick/ImageMagick/commit/fe3066122ef72c82415811d25e9e3fad622c0a99mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1600mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.