VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 8, 2020· Updated Aug 4, 2024

CVE-2020-27753

CVE-2020-27753

Description

Memory leaks in ImageMagick's MIFF coder due to improper image depth values can be triggered by a crafted file, leading to denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Memory leaks in ImageMagick's MIFF coder due to improper image depth values can be triggered by a crafted file, leading to denial of service.

Vulnerability

Memory leaks exist in the MIFF coder in /coders/miff.c of ImageMagick versions prior to 7.0.9-0. The leaks occur because the coder improperly handles image depth values when passing data to AcquireMagickMemory(). A specially crafted input file can trigger these leaks, potentially leading to application availability impact or denial of service [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted MIFF image file to an affected ImageMagick instance. No special privileges or network position are required beyond the ability to supply the file (e.g., via user interaction such as opening the file or processing it through an automated service). The crafted file contains improper image depth values that cause the MIFF coder to leak memory during processing [1].

Impact

Successful exploitation results in memory leaks that can exhaust available memory, leading to a denial of service (DoS) condition. The impact is limited to application availability; no information disclosure or code execution is indicated in the available references [1].

Mitigation

The vulnerability is fixed in ImageMagick version 7.0.9-0. Users should update to this version or later. Red Hat has stated that this flaw is out of support scope for Red Hat Enterprise Linux 5, 6, and 7; for supported distributions, apply the available patch. No workarounds are documented in the references [1].

References
  1. memory leaks in AcquireMagickMemory function

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

41

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Improper handling of image depth values in the MIFF coder leads to incorrect data being passed to AcquireMagickMemory(), causing memory leaks."

Attack vector

An attacker provides a specially crafted input file that triggers improper image depth values in the MIFF coder. The MIFF coder then passes malformed data to `AcquireMagickMemory()`, causing memory leaks. This can be exploited remotely by delivering the crafted file to an application that uses ImageMagick to process MIFF images, potentially leading to a denial of service through resource exhaustion [ref_id=1].

Affected code

The memory leaks reside in the MIFF coder at `/coders/miff.c`. The root cause is improper handling of image depth values, which leads to incorrect data being passed to `AcquireMagickMemory()`.

What the fix does

The patch addresses the issue in the MIFF coder rather than in `AcquireMagickMemory()` itself. It corrects how the MIFF coder handles image depth values before passing data to `AcquireMagickMemory()`, preventing the memory leaks. The advisory notes that the original report misattributed the leaks to `AcquireMagickMemory()` because LeakSanitizer detected them there, but the actual defect is in the MIFF coder's data handling [ref_id=1].

Preconditions

  • inputThe victim application must process a specially crafted MIFF file using ImageMagick.
  • networkThe attacker must be able to deliver the crafted file to the application (e.g., via upload, network share, or email attachment).

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.