VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 5, 2019· Updated Aug 4, 2024

CVE-2019-13296

CVE-2019-13296

Description

ImageMagick 7.0.8-50 Q16 has a direct memory leak in AcquireMagickMemory due to an unhandled NULL return from RemoveFirstImageFromList in CLIListOperatorImages.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ImageMagick 7.0.8-50 Q16 has a direct memory leak in AcquireMagickMemory due to an unhandled NULL return from RemoveFirstImageFromList in CLIListOperatorImages.

Vulnerability

ImageMagick version 7.0.8-50 Q16 is affected by a direct memory leak in the AcquireMagickMemory function. The leak originates in CLIListOperatorImages in MagickWand/operation.c when processing certain command-line operations. Specifically, if RemoveFirstImageFromList returns NULL, the code fails to destroy the existing image object before breaking out of the loop, leaving allocated memory unreleased [1]. This can be triggered by commands such as magick -seed 0 "(" magick:netscape +repage ")" "(" magick:granite +repage ")" -append -fft -compare tmp or similar operations involving multiple images and comparison operators [2].

Exploitation

An attacker would need to supply a crafted command-line sequence to ImageMagick that causes CLIListOperatorImages to encounter a situation where RemoveFirstImageFromList returns NULL. This does not require authentication or special privileges, as the command can be invoked by any user with access to the magick binary. The vulnerability is triggered through normal command-line parsing and image processing, without the need for unusual timing or race conditions [1].

Impact

Successful exploitation leads to a direct memory leak of at least 13,504 bytes (and indirect leaks of over 940,000 bytes) per invocation of the vulnerable code path. While this is a denial-of-service condition through resource exhaustion rather than code execution, repeated or automated triggering could cause the system to run out of memory, impacting availability. No privilege escalation or data corruption occurs [1].

Mitigation

The issue was fixed in commit ce08a3691a8ac29125e29fc41967b3737fa3f425, which adds a call to DestroyImage(image) before breaking when reconstruct_image is NULL in CLIListOperatorImages [2]. Users should upgrade to ImageMagick version 7.0.8-51 or later. If immediate patching is not possible, avoid using the specific command-line patterns involving -compare, -fft, or similar operators with null-terminated lists that could trigger the NULL return.

References
  1. Direct memory leaks in AcquireMagickMemory and indirect memory leaks
  2. https://github.com/ImageMagick/ImageMagick/issues/1604 · ImageMagick/ImageMagick@ce08a36

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing error-path memory deallocation in CLIListOperatorImages when a NULL value is encountered, causing AcquireMagickMemory allocations to leak."

Attack vector

An attacker provides a crafted ImageMagick command line that invokes the `-compare` operator with specific image-processing arguments, such as `magick -seed 0 "(" magick:netscape +repage ")" "(" magick:granite +repage ")" -append -fft -compare tmp` [ref_id=1]. The command triggers `CLIListOperatorImages` which calls `AppendImages`, and when a NULL value is encountered during image list processing, allocated memory is not freed [ref_id=1]. No authentication or special network access is required — the attacker only needs to supply the malicious command to a local or remote ImageMagick invocation that processes user-supplied arguments.

Affected code

The direct memory leak originates in `CLIListOperatorImages` at `MagickWand/operation.c:3795` [ref_id=1]. The ASAN trace shows the allocation flows through `AcquireMagickMemory` in `MagickCore/memory.c:478` and `CloneImage` in `MagickCore/image.c:823`, triggered when `AppendImages` is called at `MagickCore/image.c:520` [ref_id=1]. The issue involves an error path for a NULL value in `CLIListOperatorImages` [ref_id=1].

What the fix does

The bundle does not include a patch or explicit remediation guidance. The issue was reported as a GitHub issue [ref_id=1], but no fix commit or advisory text is provided. Based on the description, the fix would need to ensure that when `CLIListOperatorImages` encounters a NULL value, any memory already allocated via `AcquireMagickMemory` (through `CloneImage` and `AppendImages`) is properly freed before returning, preventing the direct and indirect leaks shown in the ASAN output [ref_id=1].

Preconditions

  • inputAttacker must be able to supply a command-line invocation to ImageMagick (e.g., via a web application that passes user input to the `magick` command)
  • inputThe command must include the `-compare` operator with image-processing arguments that trigger the `CLIListOperatorImages` code path

Reproduction

Run the following command with AddressSanitizer enabled: `magick -seed 0 "(" magick:netscape +repage ")" "(" magick:granite +repage ")" -append -fft -compare tmp` [ref_id=1]. Alternatively, run: `magick -seed 0 -bias 0% "(" magick:rose +repage ")" "(" magick:rose -despeckle -threshold 26 -wave 55x83 ")" -sampling-factor 3.65x3.408 -channel RGBA -compare -mosaic -compare tmp` [ref_id=1]. Both commands trigger direct and indirect memory leaks visible in the ASAN output [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.