CVE-2020-12672
Description
GraphicsMagick before 1.3.35 contains a heap-based buffer overflow in ReadMNGImage that can be triggered by a crafted MNG file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GraphicsMagick before 1.3.35 contains a heap-based buffer overflow in ReadMNGImage that can be triggered by a crafted MNG file.
Vulnerability
GraphicsMagick through version 1.3.35 includes a heap-based buffer overflow vulnerability in the ReadMNGImage function located in coders/png.c. This flaw can be exploited when processing a specially crafted MNG (Multiple-image Network Graphics) file, which may cause memory corruption. The vulnerability is present in all versions up to and including 1.3.35 [1].
Exploitation
An attacker can exploit this vulnerability by providing a malicious MNG file that is processed by GraphicsMagick tools or libraries. No special privileges are required; the attacker only needs to convince a user or application using GraphicsMagick to open the crafted file. The overflow occurs in the heap memory during the MNG decoding process, likely due to improper bounds checking [1].
Impact
Successful exploitation could lead to arbitrary code execution in the context of the GraphicsMagick process. The Gentoo security advisory characterizes it as a serious fuzzing issue that may allow for arbitrary code execution [1]. This could result in full compromise of the system if the process runs with high privileges, or at minimum cause a denial of service due to application crash.
Mitigation
The vulnerability is fixed in GraphicsMagick version 1.3.38, released on 2020-05-14. Users are strongly advised to upgrade to this version or later. Gentoo provides a GLSA (202209-19) with upgrade instructions for the media-gfx/graphicsmagick package. No known workaround exists for unpatched versions [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5- GraphicsMagick/GraphicsMagickdescription
- Range: <=1.3.35
- osv-coords3 versionspkg:rpm/opensuse/GraphicsMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/GraphicsMagick&distro=openSUSE%20Tumbleweedpkg:rpm/suse/GraphicsMagick&distro=SUSE%20Package%20Hub%2015%20SP1
< 1.3.29-lp151.4.20.1+ 2 more
- (no CPE)range: < 1.3.29-lp151.4.20.1
- (no CPE)range: < 1.3.36-1.7
- (no CPE)range: < 1.3.29-bp151.5.15.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- lists.opensuse.org/opensuse-security-announce/2020-06/msg00008.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-06/msg00012.htmlmitrevendor-advisoryx_refsource_SUSE
- security.gentoo.org/glsa/202209-19mitrevendor-advisoryx_refsource_GENTOO
- bugs.chromium.org/p/oss-fuzz/issues/detailmitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2020/06/msg00004.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.