Unrated severityNVD Advisory· Published May 11, 2021· Updated Aug 3, 2024

CVE-2021-20312

Description

Integer overflow in ImageMagick's WriteTHUMBNAILImage can cause undefined behavior via crafted image, threatening system availability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Integer overflow in ImageMagick's WriteTHUMBNAILImage can cause undefined behavior via crafted image, threatening system availability.

Vulnerability

An integer overflow vulnerability exists in the WriteTHUMBNAILImage function in coders/thumbnail.c of ImageMagick version 7.0.11. When processing a specially crafted image file, the overflow may trigger undefined behavior. The flaw is reachable when an application using ImageMagick processes a malicious image provided by an attacker.

Exploitation

An attacker can exploit this vulnerability by submitting a crafted image file to an application that uses ImageMagick to process it. No authentication or special privileges are required; the attacker only needs to deliver the malicious image to the vulnerable application. The application must call the thumbnail writing functionality for the vulnerable code path to be triggered.

Impact

Successful exploitation leads to undefined behavior, which can result in a denial of service condition, affecting system availability. The highest threat from this vulnerability is to system availability, as per the CVSS score. No other impacts (confidentiality or integrity) are indicated in the available references.

Mitigation

The vulnerability is present in ImageMagick 7.0.11. Upgrading to a patched version of ImageMagick beyond 7.0.11 is recommended. According to Red Hat's advisory [1], Red Hat Enterprise Linux 8 does not ship ImageMagick, and RHEL 6 and 7 are out of support scope for this flaw. No specific fixed version is disclosed in the available references.

References

Integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

ImageMagick/ImageMagickdescription
ImageMagick/Imagemagickllm-fuzzy
Range: =7.0.11
osv-coords15 versions
pkg:apk/chainguard/imagemagick-6 pkg:apk/chainguard/imagemagick-6-dev pkg:apk/chainguard/imagemagick-6-doc pkg:apk/chainguard/imagemagick-6-static pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.2 pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Tumbleweed pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5
< 0+ 14 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 7.0.7.34-lp152.12.15.1
- (no CPE)range: < 7.1.0.9-1.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 7.0.7.34-10.15.1
- (no CPE)range: < 7.0.7.34-10.15.1
- (no CPE)range: < 6.8.8.1-71.165.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 6.8.8.1-71.165.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 6.8.8.1-71.165.1
- (no CPE)range: < 6.8.8.1-71.165.1

Patches

dc69067b7cf8

pending release

https://github.com/imagemagick/imagemagickCristyFeb 13, 2021via osv

commit

2 files changed · +19 −19

ChangeLog+2 −2 modified

@@ -1,5 +1,5 @@
-2021-02-10  7.0.11-0  <quetzlzacatenango@image...>
-  * Release ImageMagick version 7.0.11-0 GIT revision 18
+2021-02-13  7.0.11-0  <quetzlzacatenango@image...>
+  * Release ImageMagick version 7.0.11-0 GIT revision 18438:ff3ef50ab:20210213
 
 2021-02-10  7.0.11-0  <quetzlzacatenango@image...>
   * bump minor version #

index.html+17 −17 modified

@@ -5,30 +5,30 @@
 <!doctype html>
 <html lang="en">
 <head>
-  <meta charset="utf-8" >
-  <meta name="viewport" content="width=device-width, initial-scale=1" >
+  <meta charset="utf-8"  />
+  <meta name="viewport" content="width=device-width, initial-scale=1"  />
   <title>ImageMagick - Convert, Edit, or Compose Digital Images</title>
-  <meta name="application-name" content="ImageMagick">
-  <meta name="description" content="Use ImageMagick® to create, edit, compose, and convert digital images. Resize an image, crop it, change its shades and colors, add captions, and more.">
-  <meta name="application-url" content="https://imagemagick.org">
-  <meta name="generator" content="PHP">
-  <meta name="keywords" content="convert, edit, or, compose, digital, images, image processing software">
-  <meta name="rating" content="GENERAL">
-  <meta name="robots" content="INDEX, FOLLOW">
-  <meta name="generator" content="ImageMagick Studio LLC">
-  <meta name="author" content="ImageMagick Studio LLC">
-  <meta name="revisit-after" content="2 DAYS">
-  <meta name="resource-type" content="document">
-  <meta name="copyright" content="Copyright (c) 1999-2020 ImageMagick Studio LLC">
-  <meta name="distribution" content="Global">
-  <meta name="magick-serial" content="P131-S030410-R485315270133-P82224-A6668-G1245-1">
+  <meta name="application-name" content="ImageMagick" />
+  <meta name="description" content="Use ImageMagick® to create, edit, compose, and convert digital images. Resize an image, crop it, change its shades and colors, add captions, and more." />
+  <meta name="application-url" content="https://imagemagick.org" />
+  <meta name="generator" content="PHP" />
+  <meta name="keywords" content="convert, edit, or, compose, digital, images, image processing software" />
+  <meta name="rating" content="GENERAL" />
+  <meta name="robots" content="INDEX, FOLLOW" />
+  <meta name="generator" content="ImageMagick Studio LLC" />
+  <meta name="author" content="ImageMagick Studio LLC" />
+  <meta name="revisit-after" content="2 DAYS" />
+  <meta name="resource-type" content="document" />
+  <meta name="copyright" content="Copyright (c) 1999-2020 ImageMagick Studio LLC" />
+  <meta name="distribution" content="Global" />
+  <meta name="magick-serial" content="P131-S030410-R485315270133-P82224-A6668-G1245-1" />
   <meta property='og:url' content='./' />
   <meta property='og:title' content='ImageMagick' />
   <meta property='og:image' content='./images/logo.png' />
   <meta property='og:type' content='website' />
   <meta property='og:site_name' content='ImageMagick' />
   <meta property='og:description' content="Create, Edit, Compose, or Convert Digital Images" />
-  <meta name="google-site-verification" content="_bMOCDpkx9ZAzBwb2kF3PRHbfUUdFj2uO8Jd1AXArz4">
+  <meta name="google-site-verification" content="_bMOCDpkx9ZAzBwb2kF3PRHbfUUdFj2uO8Jd1AXArz4" />
   <link href="./www/index.html" rel="canonical" />
   <link href="images/wand.png" rel="icon" />
   <link href="images/wand.ico" rel="shortcut icon" />

Vulnerability mechanics

Root cause

"Integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c when processing a crafted image file, leading to undefined behavior."

Attack vector

An attacker submits a crafted image file to an application that uses ImageMagick to process it. When the application calls `WriteTHUMBNAILImage` in `coders/thumbnail.c`, an integer overflow occurs during thumbnail computation, which may trigger undefined behavior. The highest threat is to system availability, meaning the overflow can lead to a crash or denial of service. No authentication or special network position is required beyond the ability to supply a malicious image file.

Affected code

The vulnerability is in `WriteTHUMBNAILImage` in `coders/thumbnail.c`. The patch provided (dc69067b7cf84c0c8abddb07649abcc566323eda) only contains cosmetic HTML and changelog changes and does not modify any source code in `coders/thumbnail.c`. Therefore, the actual code fix for the integer overflow is not visible in this patch.

What the fix does

The provided patch (dc69067b7cf84c0c8abddb07649abcc566323eda) does not contain any changes to `coders/thumbnail.c` or any other source file that would fix an integer overflow. The diff only updates self-closing HTML tag syntax in `index.html` and bumps the release date and revision string in `ChangeLog`. Because the actual code fix is absent from this patch, no remediation logic can be analyzed from it. The advisory states the flaw exists in ImageMagick 7.0.11 and that a fix was intended for a pending release.

Preconditions

inputThe attacker must be able to supply a crafted image file to an application that uses ImageMagick to process it.
configThe application must invoke WriteTHUMBNAILImage (coders/thumbnail.c) on the attacker-supplied image.

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

lists.debian.org/debian-lts-announce/2021/06/msg00000.htmlmitremailing-list
lists.debian.org/debian-lts-announce/2023/05/msg00020.htmlmitremailing-list
bugzilla.redhat.com/show_bug.cgimitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000