CVE-2021-3596
Description
A NULL pointer dereference in ImageMagick's ReadSVGImage() due to unchecked return from libxml2 can cause a crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in ImageMagick's ReadSVGImage() due to unchecked return from libxml2 can cause a crash.
Vulnerability
A NULL pointer dereference flaw exists in ImageMagick versions prior to 7.0.10-31 in the ReadSVGImage() function within coders/svg.c. The function calls xmlCreatePushParserCtxt() from libxml2 but does not check the return value; if the call fails (e.g., due to insufficient memory or disk space), the returned NULL pointer is dereferenced directly, leading to a segmentation fault [1][2].
Exploitation
An attacker can trigger the vulnerability by providing a specially crafted SVG file to ImageMagick. The issue is reproducible by first exhausting the /tmp directory (e.g., using fallocate) to force libxml2 allocation failure, then running magick convert on a malicious file [1]. No authentication is required; the attacker only needs to supply the file to a user or service that processes it with ImageMagick.
Impact
Successful exploitation results in a program crash and segmentation fault, causing a denial of service (availability impact). No evidence of code execution or information disclosure is provided in the references [1][2].
Mitigation
The vulnerability is fixed in ImageMagick version 7.0.10-31. The upstream patch is commit 43dfb1894761c4929d5d5c98dc80ba4e59a0d114 [2]. Users should upgrade to this version or later. No workaround is documented, and the issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6(expand)+ 1 more
- (no CPE)
- (no CPE)range: < 7.0.10-31
- osv-coords4 versionspkg:apk/chainguard/imagemagick-6pkg:apk/chainguard/imagemagick-6-devpkg:apk/chainguard/imagemagick-6-docpkg:apk/chainguard/imagemagick-6-static
< 0+ 3 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing NULL check on the return value of libxml2's xmlCreatePushParserCtxt() in ReadSVGImage() leads to direct dereference of a NULL pointer."
Attack vector
An attacker can trigger a NULL pointer dereference by providing a crafted SVG file that causes `xmlCreatePushParserCtxt()` to fail and return NULL [ref_id=1]. The failure can be induced by exhausting available space in the `/tmp` directory, which prevents libxml2 from allocating its parser context [ref_id=1]. When ImageMagick processes the malicious file, it dereferences the NULL pointer at `coders/svg.c:3621`, leading to a segmentation fault and program crash [ref_id=1][ref_id=2].
Affected code
The vulnerability is in the `ReadSVGImage()` function in `coders/svg.c` at line 3621 [ref_id=1][ref_id=2]. The code calls libxml2's `xmlCreatePushParserCtxt()` but does not check whether the returned pointer is NULL before dereferencing it [ref_id=1].
What the fix does
The upstream patch (commit `43dfb1894761c4929d5d5c98dc80ba4e59a0d114`) adds a NULL check on the return value of `xmlCreatePushParserCtxt()` before the pointer is used [ref_id=2]. If the pointer is NULL, the function returns an error status instead of crashing [ref_id=2]. This closes the vulnerability by ensuring that a failed parser allocation is handled gracefully rather than causing a segmentation fault.
Preconditions
- inputThe attacker must supply a crafted SVG file that causes xmlCreatePushParserCtxt() to return NULL (e.g., by exhausting /tmp space)
- configThe victim must process the malicious file with an affected version of ImageMagick (prior to 7.0.10-31)
Reproduction
1. Fill the `/tmp` directory to exhaust available space (e.g., `fallocate -l
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.