CVE-2019-13311
Description
ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory due to missing image cleanup in wand/mogrify.c.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory due to missing image cleanup in wand/mogrify.c.
Vulnerability
ImageMagick 7.0.8-50 Q16 suffers from memory leaks in AcquireMagickMemory due to an error in wand/mogrify.c. When processing certain command-line arguments that require a sequence of images (e.g., -clut, -compare, -composite, -hald-clut, -complex), the code fails to properly release images from the list when the required subsequent image is missing. This leads to unreferenced image objects that are never freed. The issue affects ImageMagick 7.0.8-50 Q16 and earlier versions (cited as ImageMagick6 with similar issue). [1]
Exploitation
An attacker can trigger the memory leak by providing a crafted command line to ImageMagick that includes operators expecting a multi-image sequence but only supplying an incomplete set of images. For example, the command magick -seed 0 -label "%r%W&%tZRD%r%A" -units PixelsPerCentimeter -caption "%s%m%w" "(" magick:logo +repage ")" "(" magick:granite -shade 13x85 ")" -compress RLE -combine -ift -complex magnitude-phase tmp causes the leak. No special privileges or network access are required; any user with the ability to execute ImageMagick on untrusted input can trigger the issue. [1]
Impact
Successfully triggering the memory leaks causes ImageMagick to exhaust available memory, leading to denial of service (DoS). The leaked memory includes both direct allocations (e.g., 13504 bytes) and potentially large indirect allocations (e.g., 3.6 MB per leak). Repeated or automated invocations could cause system instability or crash. There is no information disclosure, file manipulation, or code execution impact. [1]
Mitigation
The vulnerability is fixed in ImageMagick 7.0.8-51 and later. The fix in commit 4a334bb (for version 7) ensures that when an image removal operation yields a NULL pointer (indicating missing image), the already-populated new image is properly destroyed via DestroyImage and the status is set to MagickFalse before breaking out of the processing loop. A similar fix for ImageMagick6 was applied in commit bb81202. Users should update to the latest version. No workaround is available other than avoiding the affected command-line sequences. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog. [2][3]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
14- ImageMagick/ImageMagickdescription
- Range: = 7.0.8-50
- osv-coords12 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4
< 7.0.7.34-lp151.7.9.1+ 11 more
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.1.0.9-1.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing deallocation of cloned image objects and associated resources in CombineImages leads to memory leaks."
Attack vector
An attacker can trigger the memory leaks by supplying a crafted command line to ImageMagick's `magick` utility. The reproducer command uses options such as `-seed`, `-label`, `-caption`, `-combine`, `-ift`, and `-complex` with built-in images (`magick:logo`, `magick:granite`) and specific operators like `-shade` [ref_id=1]. No authentication or special privileges are required; the attacker only needs to invoke the `magick` binary with the crafted arguments, causing `CombineImages` to allocate memory that is never freed.
Affected code
The memory leaks originate in `MagickCore/channel.c` in the `CombineImages` function (line 520), which calls `CloneImage` without properly freeing the cloned image objects. The Asan backtrace shows allocations from `AcquireMagickMemory` (MagickCore/memory.c:478), `CloneImage` (MagickCore/image.c:823), and `CombineImages` (MagickCore/channel.c:520) [ref_id=1]. The issue is also linked to `wand/mogrify.c` as noted in the CVE description.
What the fix does
The bundle does not include a patch. The advisory [ref_id=1] reports the memory leaks as a bug in ImageMagick 7.0.8-50 Q16 and links it to issue #1616, but no fix commit or remediation guidance is provided in the supplied materials. Without a patch, the expected fix would involve ensuring that `CombineImages` (MagickCore/channel.c:520) properly releases cloned image objects and associated pixel caches, splay trees, and blob info before returning.
Preconditions
- inputThe attacker must be able to execute the ImageMagick `magick` command with arbitrary arguments.
- configThe vulnerable version is ImageMagick 7.0.8-50 Q16.
Reproduction
Run the following command with AddressSanitizer enabled: `magick -seed 0 -label "%r%W&%tZRD%r%A" -units PixelsPerCentimeter -caption "%s%m%w" "(" magick:logo +repage ")" "(" magick:granite -shade 13x85 ")" -compress RLE -combine -ift -complex magnitude-phase tmp` [ref_id=1]. LeakSanitizer will report multiple direct and indirect memory leaks originating from `AcquireMagickMemory` and `CombineImages`.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.htmlmitrevendor-advisoryx_refsource_SUSE
- usn.ubuntu.com/4192-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4712mitrevendor-advisoryx_refsource_DEBIAN
- github.com/ImageMagick/ImageMagick/commit/4a334bbf5584de37c6f5a47c380a531c8c4b140amitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1623mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick6/commit/bb812022d0bc12107db215c981cab0b1ccd73d91mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.