CVE-2020-27758
Description
ImageMagick's txt coder has undefined behavior due to an out-of-range unsigned long long value, potentially causing application availability loss.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick's txt coder has undefined behavior due to an out-of-range unsigned long long value, potentially causing application availability loss.
Vulnerability
A flaw exists in ImageMagick's txt coder, specifically in the ReadTXTImage() function within coders/txt.c. Improper handling of pixel values can result in values outside the representable range of the unsigned long long type, leading to undefined behavior. This issue affects ImageMagick versions prior to 7.0.8-68.
Exploitation
An attacker would need to submit a crafted file that is processed by ImageMagick. No special authentication or network position is mentioned; the attack vector is via a malicious file. The undefined behavior occurs when the parsed pixel value exceeds the unsigned long long maximum due to missing or insufficient constraints.
Impact
Successful exploitation could lead to an impact on application availability, as undefined behavior can cause crashes or other unpredictable results. The vulnerability is rated Low by Red Hat because no specific severe impact was demonstrated, though other problems related to undefined behavior are theoretically possible.
Mitigation
ImageMagick version 7.0.8-68 and later contain the fix. For Red Hat Enterprise Linux 5, 6, and 7, the flaw is out of support scope. Inkscape on Red Hat Enterprise Linux 8 is not affected. Users should upgrade to the fixed version [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
21- ImageMagick/ImageMagickdescription
- Range: <7.0.8-68
- osv-coords19 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/ImageMagick&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/ImageMagick&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/ImageMagick&distro=SUSE%20Manager%20Server%204.0
< 7.0.7.34-lp151.7.26.1+ 18 more
- (no CPE)range: < 7.0.7.34-lp151.7.26.1
- (no CPE)range: < 7.0.7.34-lp152.12.9.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-10.9.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-10.9.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing maximum-value constraints in pixel computation within ReadTXTImage() allows values to exceed the range of unsigned long long."
Attack vector
An attacker crafts a malicious image file that, when processed by ImageMagick's txt coder, causes pixel value calculations to overflow beyond the range of `unsigned long long`. The advisory notes that this undefined behavior could lead to an application availability impact, though no specific exploit was demonstrated [ref_id=1]. No authentication or special network position is required beyond delivering the crafted file to a victim or service that uses ImageMagick.
Affected code
The flaw resides in `coders/txt.c` within the `ReadTXTImage()` function. The function computes pixel values that can exceed the representable range of `unsigned long long` due to insufficient maximum-value constraints [ref_id=1]. This affects ImageMagick versions prior to 7.0.8-68.
What the fix does
The patch is not included in the bundle, but the advisory states that the fix was released in ImageMagick version 7.0.8-68. The remediation likely adds proper bounds checking on pixel value computations in `ReadTXTImage()` to prevent values from exceeding the range of `unsigned long long`. Without the patch, the undefined behavior remains triggerable.
Preconditions
- inputThe attacker must supply a crafted image file that is processed by ImageMagick's txt coder.
- configThe victim or service must use an affected version of ImageMagick (prior to 7.0.8-68).
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- lists.debian.org/debian-lts-announce/2021/03/msg00030.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2023/03/msg00008.htmlmitremailing-list
- bugzilla.redhat.com/show_bug.cgimitre
News mentions
0No linked articles in our index yet.