CVE-2019-13295
Description
ImageMagick 7.0.8-50 Q16 is vulnerable to a heap-based buffer over-read in AdaptiveThresholdImage when width is zero.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick 7.0.8-50 Q16 is vulnerable to a heap-based buffer over-read in AdaptiveThresholdImage when width is zero.
Vulnerability
ImageMagick 7.0.8-50 Q16 contains a heap-based buffer over-read vulnerability in AdaptiveThresholdImage at MagickCore/threshold.c. The issue occurs when a width of zero is passed to the function, which is not properly handled, leading to an out-of-bounds read. The vulnerability was discovered via the magick:logo and magick:wizard images with -lat 0x564-42% parameter [1].
Exploitation
An attacker can trigger the vulnerability by using a crafted command that passes a width of zero to the -lat (adaptive threshold) operator. For example: magick -seed 0 "(" magick:logo +repage ")" "(" magick:wizard -lat 0x564-42% ")" -quiet tmp. No authentication is required, as this is a command-line invocation that can be executed by any user with access to the magick binary. The exploit does not require any special network position or user interaction beyond running the provided command [1].
Impact
Successful exploitation results in a heap-based buffer over-read, which can lead to information disclosure (reading out-of-bounds heap memory). The vulnerability could potentially be leveraged to crash the application or leak sensitive data. The ASAN report confirms a read of size 4 from an invalid memory location, indicating potential for memory corruption [1].
Mitigation
The issue has been patched in both the ImageMagick 6 and ImageMagick 7 codebases. For ImageMagick 7, the fix is in commit a7759f410b773a1dd57b0e1fb28112e1cd8b97bc, which adds a check for width == 0 and returns an early clone of the image [3]. For ImageMagick 6, the equivalent fix is in commit 55e6dc49f1a381d9d511ee2f888fdc3e3c3e3953 [2]. Users should update to the latest patched version of ImageMagick. No workaround is mentioned if updating is not possible.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13- ImageMagick/ImageMagickdescription
- Range: = 7.0.8-50 Q16
- osv-coords11 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4
< 7.0.7.34-lp151.7.9.1+ 10 more
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation in AdaptiveThresholdImage allows a width of zero to be mishandled, causing a heap-buffer-overflow read."
Attack vector
An attacker provides a crafted image that causes the `-lat` (local adaptive threshold) operator to be invoked with a zero width value (e.g., `-lat 0x564-42%`), which is not properly validated [ref_id=1]. When `AdaptiveThresholdImage` processes this malformed parameter, it reads beyond the allocated pixel buffer, resulting in a heap-buffer-overflow [ref_id=1]. The attack is triggered via the command line by running `magick -seed 0 "(" magick:logo +repage ")" "(" magick:wizard -lat 0x564-42% ")" -quiet tmp` [ref_id=1].
Affected code
The heap-buffer-overflow occurs in `AdaptiveThresholdImage` at `MagickCore/threshold.c:323:33` [ref_id=1]. The crash is triggered when a width of zero is mishandled, causing a read of size 4 from a memory location 16 bytes to the left of an allocated region [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide a fix or remediation guidance; it only documents the heap-buffer-overflow crash. Based on the root cause — a width of zero being mishandled — a proper fix would add input validation in `AdaptiveThresholdImage` to reject or clamp a zero width before performing pixel memory accesses.
Preconditions
- inputAttacker must supply a crafted image that triggers the -lat operator with a zero or malformed width parameter
- inputThe ImageMagick CLI must be invoked with the specific -lat argument (e.g., -lat 0x564-42%)
Reproduction
Run the following command with a vulnerable ImageMagick 7.0.8-50 build (compiled with ASAN for detection): `magick -seed 0 "(" magick:logo +repage ")" "(" magick:wizard -lat 0x564-42% ")" -quiet tmp` [ref_id=1]. This triggers a heap-buffer-overflow read at `MagickCore/threshold.c:323:33` in `AdaptiveThresholdImage` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.htmlmitrevendor-advisoryx_refsource_SUSE
- usn.ubuntu.com/4192-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4712mitrevendor-advisoryx_refsource_DEBIAN
- github.com/ImageMagick/ImageMagick/commit/a7759f410b773a1dd57b0e1fb28112e1cd8b97bcmitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1608mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick6/commit/55e6dc49f1a381d9d511ee2f888fdc3e3c3e3953mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/08/msg00021.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2020/08/msg00030.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.