CVE-2019-14980
Description
Use-after-free in ImageMagick's UnmapBlob can cause denial of service via crafted file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in ImageMagick's UnmapBlob can cause denial of service via crafted file.
Vulnerability
A use-after-free vulnerability exists in the UnmapBlob function in ImageMagick versions 7.x before 7.0.8-42 and 6.x before 6.9.10-42 [1]. In magick/blob.c, UnmapBlob frees blob_info->data but does not set the pointer to NULL, and the dangling pointer is returned in a later code path, leading to a use-after-free condition [4].
Exploitation
An attacker can exploit this vulnerability by sending a crafted file to be processed by ImageMagick. No special privileges or authentication are required; the attacker only needs to provide a malicious input that triggers the vulnerable code path during image processing.
Impact
Successful exploitation causes a denial of service, as the use-after-free can lead to application crash or unexpected behavior.
Mitigation
Upgrade to ImageMagick 7.0.8-42 or later (7.x) or 6.9.10-42 or later (6.x) [1]. No workaround is available; applying the patch is recommended.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
17- ImageMagick/ImageMagickdescription
- Range: 6.x <6.9.10-42, 7.x <7.0.8-42
- osv-coords15 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5
< 7.0.7.34-lp150.2.41.1+ 14 more
- (no CPE)range: < 7.0.7.34-lp150.2.41.1
- (no CPE)range: < 7.0.7.34-lp151.7.12.1
- (no CPE)range: < 6.8.8.1-71.131.1
- (no CPE)range: < 7.0.7.34-3.72.1
- (no CPE)range: < 7.0.7.34-3.72.1
- (no CPE)range: < 7.0.7.34-3.72.1
- (no CPE)range: < 7.0.7.34-3.72.1
- (no CPE)range: < 6.8.8.1-71.131.1
- (no CPE)range: < 6.8.8.1-71.131.1
- (no CPE)range: < 6.8.8.1-71.131.1
- (no CPE)range: < 6.8.8.1-71.131.1
- (no CPE)range: < 6.8.8.1-71.131.1
- (no CPE)range: < 6.8.8.1-71.131.1
- (no CPE)range: < 6.8.8.1-71.131.1
- (no CPE)range: < 6.8.8.1-71.131.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The UnmapBlob function in ImageMagick does not properly set the data pointer to NULL after unmapping, leading to a use-after-free vulnerability."
Attack vector
An attacker can trigger this vulnerability by providing a specially crafted file to ImageMagick. When the UnmapBlob function is called, it attempts to unmap the blob data. However, because the data pointer is not reset, subsequent operations on the blob_info structure can lead to a use-after-free condition, resulting in a denial of service.
Affected code
The vulnerability exists in the `UnmapBlob` function within `MagickCore/blob.c` (or `magick/blob.c` in older versions). The specific lines affected are around line 999 in `MagickCore/blob.c` and line 703 in `magick/blob.c`, where the `blob_info->data` pointer is not reset after being unmapped.
What the fix does
The patch addresses the use-after-free vulnerability by adding the line `blob_info->data=NULL;` within the `if (blob_info->mapped != MagickFalse)` block in the UnmapBlob function. This ensures that after the blob data is unmapped and its resource is relinquished, the data pointer is explicitly set to NULL, preventing any subsequent attempts to access freed memory.
Preconditions
- inputThe attacker must provide a crafted file that triggers the UnmapBlob function.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.opensuse.org/opensuse-security-announce/2019-11/msg00040.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-11/msg00042.htmlmitrevendor-advisoryx_refsource_SUSE
- github.com/ImageMagick/ImageMagick/commit/c5d012a46ae22be9444326aa37969a3f75daa3bamitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/compare/7.0.8-41...7.0.8-42mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick6/commit/614a257295bdcdeda347086761062ac7658b6830mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick6/issues/43mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.