CVE-2019-15139
Description
A crafted XWD image triggers an out-of-bounds read in ImageMagick 7.0.8-41 Q16, causing a crash (DoS).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted XWD image triggers an out-of-bounds read in ImageMagick 7.0.8-41 Q16, causing a crash (DoS).
Vulnerability
The XWD (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 contains an out-of-bounds read vulnerability in the ReadXWDImage function in coders/xwd.c. The issue occurs because the code does not validate that header.xoffset is within the bounds of the blob size, nor does it properly check header.ncolors for integer overflow when allocating memory for color entries. A crafted XWD file with a large xoffset or excessive ncolors can cause an invalid memory read, leading to a crash [1][2].
Exploitation
An attacker needs to craft a malicious XWD file and entice a user to process it with ImageMagick (e.g., via identify -verbose or convert). No authentication or special privileges are required; the attack is remote and relies on user interaction (opening or converting the file). The crash occurs when the parser attempts to read from an invalid address due to the missing offset and length checks [1][2].
Impact
Successful exploitation causes a denial-of-service (DoS) via application crash. The crash results from an out-of-bounds read that can trigger a segmentation fault (as demonstrated by AddressSanitizer). No code execution is reported; the impact is limited to service disruption and potential data loss if the program terminates while processing other images [1][2].
Mitigation
The fix was committed on the development branch in commit c78993d138bf480ab4652b5a48379d4ff75ba5f7 (reference [1]), which adds bounds checks for header.xoffset and corrects the color allocation length validation. Affected users should update ImageMagick to a version containing this fix (e.g., builds after August 18, 2019). No official release version incorporating the fix is specified in the references; therefore, building from the patched source or applying the patch is recommended. This vulnerability is not listed on the CISA KEV catalog as of the publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
18- ImageMagick/ImageMagickdescription
- Range: =7.0.8-41 Q16
- osv-coords16 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5
< 7.0.7.34-lp150.2.41.1+ 15 more
- (no CPE)range: < 7.0.7.34-lp150.2.41.1
- (no CPE)range: < 7.0.7.34-lp151.7.12.1
- (no CPE)range: < 7.1.0.9-1.1
- (no CPE)range: < 6.8.8.1-71.131.1
- (no CPE)range: < 7.0.7.34-3.72.1
- (no CPE)range: < 7.0.7.34-3.72.1
- (no CPE)range: < 7.0.7.34-3.72.1
- (no CPE)range: < 7.0.7.34-3.72.1
- (no CPE)range: < 6.8.8.1-71.131.1
- (no CPE)range: < 6.8.8.1-71.131.1
- (no CPE)range: < 6.8.8.1-71.131.1
- (no CPE)range: < 6.8.8.1-71.131.1
- (no CPE)range: < 6.8.8.1-71.131.1
- (no CPE)range: < 6.8.8.1-71.131.1
- (no CPE)range: < 6.8.8.1-71.131.1
- (no CPE)range: < 6.8.8.1-71.131.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check on `header.xoffset` allows an out-of-bounds read in `ReadXWDImage` when processing a corrupted XWD file."
Attack vector
An attacker crafts a corrupted XWD image file with a malicious `xoffset` field that exceeds the actual image data size. When ImageMagick's `ReadXWDImage` processes the file (e.g., via `convert` or `identify`), the out-of-bounds `xoffset` causes an invalid memory read at `xwd.c:573`, leading to a segmentation fault [ref_id=2]. No authentication or special privileges are required; the attacker only needs to deliver the crafted file to a victim who opens it with ImageMagick.
Affected code
The vulnerability resides in the `ReadXWDImage` function in `coders/xwd.c`. The crash occurs at line 573 of that file, triggered when processing a corrupted XWD image file [ref_id=2]. The patch adds a bounds check on `header.xoffset` against the blob size and fixes a color-table validation check [ref_id=1].
What the fix does
The patch adds a check that `header.xoffset` is less than the blob size, rejecting files where the offset exceeds the available data [ref_id=1]. It also corrects the color-table validation from checking `header.ncolors == 0` to checking `header.colormap_entries == 0`, and removes an overly permissive `ncolors > 65535` check. Additionally, the `CoderDecoderSeekableStreamFlag` flag is set on the XWD coder to ensure seekable stream behavior. These changes prevent the out-of-bounds read that caused the crash.
Preconditions
- inputVictim must open a crafted XWD file with ImageMagick (e.g., via `convert` or `identify`)
- networkNo authentication or special network access required
Reproduction
Run `identify -verbose $FILE` or `convert $FILE /dev/null` on a crafted XWD file. Proof-of-concept files are available at https://github.com/ntu-sec/pocs/raw/master/imagemagick/112760b26/crashes/read_xwd.c:573_1.xwd and https://github.com/ntu-sec/pocs/raw/master/imagemagick/112760b26/crashes/read_xwd.c:573_2.xwd [ref_id=2].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- lists.opensuse.org/opensuse-security-announce/2019-11/msg00040.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-11/msg00042.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3IYH7QSNXXOIDFTYLY455ANZ3JWQ7FCS/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FS76VNCFL3FVRMGXQEMHBOKA7EE46BTS/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/4192-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4712mitrevendor-advisoryx_refsource_DEBIAN
- github.com/ImageMagick/ImageMagick/commit/c78993d138bf480ab4652b5a48379d4ff75ba5f7mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1553mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/10/msg00028.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2020/09/msg00007.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.