Unrated severityNVD Advisory· Published Dec 4, 2020· Updated Aug 4, 2024

CVE-2020-27770

Description

A missing check for a zero value of replace_extent in SubstituteString() can cause an integer overflow, leading to application denial-of-service in ImageMagick versions prior to 7.0.8-68.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing check for a zero value of `replace_extent` in SubstituteString() can cause an integer overflow, leading to application denial-of-service in ImageMagick versions prior to 7.0.8-68.

Vulnerability

In ImageMagick versions prior to 7.0.8-68, the function SubstituteString() in MagickCore/string.c contains an integer overflow vulnerability. A missing check for a zero value of the replace_extent parameter allows the offset p to overflow when computing a pointer, leading to undefined behavior. This flaw can be triggered by processing a specially crafted input file [1]. Versions before 7.0.8-68 are affected [1].

Exploitation

An attacker needs to provide a crafted input file to an application using a vulnerable version of ImageMagick. No special privileges or network position are required beyond the ability to submit the file for processing. The exploitation relies on the missing check for a zero value in replace_extent, which causes an unsigned integer overflow during string substitution [1].

Impact

Successful exploitation leads to an impact on application availability, likely a crash or denial-of-service condition. The vulnerability does not appear to allow arbitrary code execution or information disclosure based on the available references [1].

Mitigation

The issue is fixed in ImageMagick version 7.0.8-68, released on 2020-12-04. Users should update to this version or later. The upstream fix is available in commit be90a5395695f0d19479a5d46b06c678be7f7927 [1]. For Red Hat Enterprise Linux 5, 6, and 7, the flaw is out of support scope and no fix is provided. Users of those versions should consider upgrading to a supported operating system [1].

References

unsigned offset overflowed at MagickCore/string.c

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

ImageMagick/ImageMagickdescription
ImageMagick/Imagemagickllm-fuzzy
Range: <7.0.8-68
osv-coords39 versions
pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.2 pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Tumbleweed pkg:rpm/suse/ImageMagick&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ImageMagick&distro=SUSE%20Enterprise%20Storage%205 pkg:rpm/suse/ImageMagick&distro=SUSE%20Enterprise%20Storage%206 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSS pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCL pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSS pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSS pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCL pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5 pkg:rpm/suse/ImageMagick&distro=SUSE%20Manager%20Proxy%204.0 pkg:rpm/suse/ImageMagick&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0 pkg:rpm/suse/ImageMagick&distro=SUSE%20Manager%20Server%204.0 pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 7.0.7.34-lp151.7.26.1+ 38 more
- (no CPE)range: < 7.0.7.34-lp151.7.26.1
- (no CPE)range: < 7.0.7.34-lp152.12.9.1
- (no CPE)range: < 7.1.0.9-1.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-10.9.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-10.9.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 7.0.7.34-3.90.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1
- (no CPE)range: < 6.8.8.1-71.154.1

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

lists.debian.org/debian-lts-announce/2021/03/msg00030.htmlmitremailing-list
lists.debian.org/debian-lts-announce/2023/03/msg00008.htmlmitremailing-list
bugzilla.redhat.com/show_bug.cgimitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000