VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 18, 2019· Updated Aug 5, 2024

CVE-2019-15140

CVE-2019-15140

Description

ImageMagick 7.0.8-43 Q16 has a use-after-free in coders/mat.c when processing malformed Matlab images, leading to denial of service or possible code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ImageMagick 7.0.8-43 Q16 has a use-after-free in coders/mat.c when processing malformed Matlab images, leading to denial of service or possible code execution.

Vulnerability

ImageMagick 7.0.8-43 Q16 contains a use-after-free vulnerability in coders/mat.c when processing crafted Matlab image files. The issue occurs in ReadImage within MagickCore/constitute.c [2], where a malformed MATLAB header can lead to a heap-use-after-free [2].

Exploitation

An attacker can trigger this vulnerability by convincing a user to open a specially crafted Matlab image file using ImageMagick [1]. No authentication is required; the attack can be delivered remotely. The malformed file corrupts internal state, causing a use-after-free as shown in the AddressSanitizer output [2].

Impact

Successful exploitation results in a denial of service (application crash) or potentially arbitrary code execution with the privileges of the user running ImageMagick [1]. The exact impact beyond crash is unspecified but could be serious.

Mitigation

The vulnerability is patched in commit f720661 [3]. Ubuntu users should apply the update from USN-4192-1 [1]. No workaround is available aside from upgrading.

References
  1. USN-4192-1: ImageMagick vulnerabilities | Ubuntu security notices | Ubuntu
  2. AddressSanitizer: heap-use-after-free at constitute.c:659
  3. https://github.com/ImageMagick/ImageMagick/issues/1554 · ImageMagick/ImageMagick@f720661

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

17

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Use-after-free in ReadMATImage where an image object is freed (via DestroyImage) but later accessed by ReadImage at constitute.c:659."

Attack vector

An attacker crafts a malicious Matlab image file that triggers a code path in ReadMATImage (coders/mat.c) where an image is destroyed prematurely. When control returns to ReadImage in MagickCore/constitute.c, the freed image pointer is written to at line 659, causing a heap-use-after-free crash [ref_id=1]. The only precondition is that the victim runs ImageMagick's `convert` utility (or any tool that calls ReadImage) on the attacker-supplied file.

Affected code

The vulnerability is in coders/mat.c (ReadMATImage function) and MagickCore/constitute.c (ReadImage function, line 659). The AddressSanitizer trace shows the use-after-free write occurs at constitute.c:659, while the image is freed at mat.c:1479 via DestroyImage [ref_id=1].

What the fix does

The advisory does not include a patch or explicit remediation guidance. Based on the crash report [ref_id=1], the fix would need to ensure that ReadMATImage does not destroy an image object that ReadImage still expects to be alive, or that ReadImage checks the image pointer for validity after the decoder returns. Without a published patch, users should avoid processing untrusted Matlab files with the affected ImageMagick version (7.0.8-43 Q16).

Preconditions

  • inputVictim must process a crafted Matlab (.mat) image file using ImageMagick.
  • authNo authentication or special privileges required beyond file access.

Reproduction

Run `convert $FILE /dev/null` where `$FILE` is a crafted Matlab image file. The AddressSanitizer output confirms the heap-use-after-free at constitute.c:659 [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.