CVE-2020-19667
Description
A stack-based buffer overflow in ImageMagick's ReadXPMImage function allows a denial of service or potential code execution via a crafted XPM file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack-based buffer overflow in ImageMagick's ReadXPMImage function allows a denial of service or potential code execution via a crafted XPM file.
Vulnerability
A stack-based buffer overflow exists in ReadXPMImage in coders/xpm.c of ImageMagick version 7.0.10-7 and possibly earlier versions. The vulnerability occurs at line 232 in the ParseXPMColor function, where a read of size 1 exceeds the bounds of a stack-allocated buffer target[4096] (declared at line 251). This is triggered when processing a specially crafted XPM image file [1].
Exploitation
An attacker needs to supply a malicious XPM file as input. No authentication or special privileges are required; the attack can be performed by convincing a user (or an automated service) to open the file with ImageMagick (e.g., convert malicious.xpm output.png). The overflow is a stack-based read overflow, which in the ASAN trace shows a READ of size 1 at an address past the target buffer. While the crash is easily reproducible, the exact exploitation complexity depends on the memory layout and defenses [1].
Impact
Successful exploitation causes an out-of-bounds read, leading to a denial of service (application crash) as reported. Depending on the environment and mitigations, this could potentially be leveraged for information disclosure or, in a worst-case scenario, arbitrary code execution if an attacker can control the overflow to corrupt critical stack data [1].
Mitigation
The official fix was committed to the ImageMagick repository after the issue was reported. Users should update to a version newer than 7.0.10-7 that includes the patch. The issue is tracked on GitHub issue #1895 [1]. No specific workaround is provided other than avoiding processing untrusted XPM files until the patch is applied.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
42- ImageMagick/ImageMagickdescription
- Range: =7.0.10-7
- osv-coords40 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/ImageMagick&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ImageMagick&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/ImageMagick&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/ImageMagick&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/ImageMagick&distro=SUSE%20Manager%20Server%204.0pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 7.0.7.34-lp151.7.26.1+ 39 more
- (no CPE)range: < 7.0.7.34-lp151.7.26.1
- (no CPE)range: < 7.0.7.34-lp152.12.9.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-10.6.13
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-10.6.13
- (no CPE)range: < 6.4.3.6-78.135.1
- (no CPE)range: < 6.4.3.6-78.135.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds checking on XPM color entry data copied into a fixed-size stack buffer in ParseXPMColor allows a stack-buffer-overflow."
Attack vector
An attacker provides a specially crafted XPM image file that contains a color entry whose parsed representation exceeds the 4096-byte stack buffer `target` in `ReadXPMImage` [ref_id=1]. When ImageMagick's `convert` or `identify` command processes this file, `ParseXPMColor` writes past the end of `target`, causing a stack-buffer-overflow read of size 1 at offset 8352 [ref_id=1]. No authentication is required; the attacker only needs to deliver the malicious image to a victim who processes it with ImageMagick.
Affected code
The vulnerability resides in `coders/xpm.c` in the `ReadXPMImage` function, specifically at line 232 within `ParseXPMColor` [ref_id=1]. The stack buffer `target` (declared at line 251 with size 4096 bytes) is overflowed when parsing a crafted XPM color entry [ref_id=1].
What the fix does
The advisory does not include a published patch or explicit remediation steps [ref_id=1]. The issue was reported to the ImageMagick project as a stack-buffer-overflow in `ParseXPMColor` at `coders/xpm.c:232`, and the reporter requested a CVE ID [ref_id=1]. Without a patch, the recommended mitigation would be to avoid processing untrusted XPM files or to apply input-length validation on color entries before copying them into the fixed-size stack buffer.
Preconditions
- inputVictim must process a malicious XPM file using ImageMagick (e.g., via `convert` or `identify`).
- authNo special privileges or authentication required.
Reproduction
The advisory provides a PoC crash file located at `./afl-Ima/sync_dir/fuzzer2/crashes/id:000000,sig:06,src:009314,op:havoc,rep:16` [ref_id=1]. To reproduce, run: `magick convert ./
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.