CVE-2021-3574
Description
Memory leak in ImageMagick when processing crafted TIFF files via convert, due to late validation of samples_per_pixel.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory leak in ImageMagick when processing crafted TIFF files via convert, due to late validation of samples_per_pixel.
Vulnerability
A memory leak vulnerability exists in ImageMagick versions 7.0.11-5 and earlier (and likely ImageMagick6) when processing crafted TIFF files. The issue is in the ReadTIFFImage function in coders/tiff.c, where the check if (samples_per_pixel > MaxPixelChannels) was performed after certain allocations, causing a memory leak if the condition triggered [1][2].
Exploitation
An attacker can trigger the memory leak by providing a specially crafted TIFF file with a large number of samples per pixel and convincing a user to process it with the convert command. No authentication or special privileges are required; the attacker only needs to deliver the malicious file to the victim [1]. The leak is detected by AddressSanitizer as a memory leak [1].
Impact
Successful exploitation leads to memory exhaustion, potentially resulting in a denial-of-service condition. Repeated processing of such crafted files can cause increasing memory consumption. The vulnerability does not enable arbitrary code execution or significant information disclosure beyond memory layout leaks detectable by ASAN.
Mitigation
The fix was implemented by moving the samples_per_pixel check earlier in the ReadTIFFImage function, before allocations that could leak [2][3]. Users should update to a patched version (e.g., ImageMagick 7.0.11-6 or later, or any version after the commit). For ImageMagick6, apply the corresponding commit [3]. No workaround is available; upgrading is the recommended mitigation.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6(expand)+ 1 more
- (no CPE)
- (no CPE)range: =7.0.11-5
- osv-coords4 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3
< 7.0.7.34-150200.10.39.1+ 3 more
- (no CPE)range: < 7.0.7.34-150200.10.39.1
- (no CPE)range: < 7.0.7.34-150200.10.39.1
- (no CPE)range: < 7.0.7.34-150200.10.39.1
- (no CPE)range: < 7.0.7.34-150200.10.39.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Memory allocated for quantum pixel data before a late-placed bounds check on samples_per_pixel is not freed when the check fails, causing a memory leak."
Attack vector
An attacker provides a crafted TIFF file where the `samples_per_pixel` field exceeds `MaxPixelChannels`. When ImageMagick's `convert` command processes this file, `ReadTIFFImage` allocates quantum-related memory (via `AcquireQuantumInfo`, `AcquireQuantumPixels`, `SetQuantumDepth`, etc.) before reaching the late-placed `samples_per_pixel` bounds check [ref_id=1]. The error path then throws an exception without freeing the already-allocated memory, causing a memory leak detected by AddressSanitizer [ref_id=1]. The attack requires only that the victim runs `magick convert` on the malicious TIFF file.
Affected code
The vulnerability resides in the `ReadTIFFImage` function in `coders/tiff.c` (ImageMagick 7) and the equivalent function in ImageMagick6. The check for `samples_per_pixel > MaxPixelChannels` was originally placed late in the function (after memory allocations for quantum pixels had already occurred), allowing memory to be allocated and then leaked when the error was thrown [ref_id=2][ref_id=3].
What the fix does
The patch moves the `samples_per_pixel > MaxPixelChannels` check earlier in `ReadTIFFImage`, placing it immediately after the existing `UnsupportedBitsPerPixel` check and before any quantum memory allocations occur [ref_id=2][ref_id=3]. The late check (originally around line 1731 in ImageMagick 7) is removed. By failing fast before `AcquireQuantumInfo`, `AcquireQuantumPixels`, and `SetQuantumDepth` are called, the fix ensures no memory is leaked when a TIFF with an excessive number of samples per pixel is encountered.
Preconditions
- inputAttacker must supply a crafted TIFF file with samples_per_pixel exceeding MaxPixelChannels
- inputVictim must execute the convert command (e.g., magick convert $poc out.bmp) on the malicious file
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4Q6MJAMGHGB552KSFTQKXEKJVQNM4MCT/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5C6XAGUFPUF4SNVCI2T4OJK3EFIENBGP/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNVDNM4ZEIYPT3SLZHPYN7OG4CZLEXZJ/mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/03/msg00008.htmlmitremailing-list
- github.com/ImageMagick/ImageMagick/commit/c6ad94fbb7b280f39c2fbbdc1c140e51b1b466e9mitre
- github.com/ImageMagick/ImageMagick/issues/3540mitre
- github.com/ImageMagick/ImageMagick6/commit/cd7f9fb7751b0d59d5a74b12d971155caad5a792mitre
News mentions
0No linked articles in our index yet.