CVE-2019-7396
Description
Memory leak in ImageMagick's ReadSIXELImage before 7.0.8-25 allows DoS via crafted SIXEL images.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory leak in ImageMagick's ReadSIXELImage before 7.0.8-25 allows DoS via crafted SIXEL images.
Vulnerability
A memory leak exists in the ReadSIXELImage function in coders/sixel.c of ImageMagick before version 7.0.8-25. When processing a crafted SIXEL image, if the image dimensions exceed max_x or max_y, a new pixel buffer is allocated. If the subsequent palette allocation fails, the function returns MagickFalse without freeing the allocated pixel buffer, leading to a memory leak [1].
Exploitation
An attacker must supply a specially crafted SIXEL image that triggers the condition where dimensions exceed the maximum values, causing the code path in sixel_decode to allocate a new buffer. The user must then open the malicious image with ImageMagick. No special privileges or network position are required beyond file access [1].
Impact
Successful exploitation results in a memory leak, which could lead to memory exhaustion and denial of service. No code execution or privilege escalation is possible [1].
Mitigation
The vulnerability is fixed in ImageMagick version 7.0.8-25. The commit 748a036 adds a missing RelinquishMagickMemory call for sixel_pixels when the palette allocation fails [2]. Users should update to the latest version. No known workarounds are documented.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
56.9.10-0, 6.9.10-1, 6.9.10-10, …+ 1 more
- (no CPE)range: 6.9.10-0, 6.9.10-1, 6.9.10-10, …
- (no CPE)range: <7.0.8-25
- osv-coords3 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015
< 7.0.7.34-lp150.2.26.1+ 2 more
- (no CPE)range: < 7.0.7.34-lp150.2.26.1
- (no CPE)range: < 7.0.7.34-3.49.4
- (no CPE)range: < 7.0.7.34-3.49.4
Patches
21 file changed · +1 −1
ChangeLog+1 −1 modified@@ -1,5 +1,5 @@ 2019-01-27 7.0.8-25 Cristy <quetzlzacatenango@image...> - * Release ImageMagick version 7.0.8-25, GIT revision 15277:8aba36709:20190127 + * Release ImageMagick version 7.0.8-25, GIT revision 15279:7da783a5b:20190127 2019-01-19 7.0.8-25 Cristy <quetzlzacatenango@image...> * Eliminate spurious font warning (reference
748a03651e5bhttps://github.com/ImageMagick/ImageMagick/issues/1452
1 file changed · +1 −0
coders/sixel.c+1 −0 modified@@ -1057,6 +1057,7 @@ static Image *ReadSIXELImage(const ImageInfo *image_info,ExceptionInfo *exceptio if (sixel_decode(image,(unsigned char *) sixel_buffer,&sixel_pixels,&image->columns,&image->rows,&sixel_palette,&image->colors,exception) == MagickFalse) { sixel_buffer=(char *) RelinquishMagickMemory(sixel_buffer); + sixel_pixels=(unsigned char *) RelinquishMagickMemory(sixel_pixels); ThrowReaderException(CorruptImageError,"CorruptImage"); } sixel_buffer=(char *) RelinquishMagickMemory(sixel_buffer);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.opensuse.org/opensuse-security-announce/2019-04/msg00034.htmlmitrevendor-advisoryx_refsource_SUSE
- usn.ubuntu.com/4034-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4712mitrevendor-advisoryx_refsource_DEBIAN
- www.securityfocus.com/bid/106849mitrevdb-entryx_refsource_BID
- github.com/ImageMagick/ImageMagick/commit/748a03651e5b138bcaf160d15133de2f4b1b89cemitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1452mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.