CVE-2022-1115
Description
A heap-buffer-overflow flaw in ImageMagick's PushShortPixel() allows denial of service via a crafted TIFF image.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-buffer-overflow flaw in ImageMagick's PushShortPixel() allows denial of service via a crafted TIFF image.
Vulnerability
A heap-buffer-overflow vulnerability exists in ImageMagick's PushShortPixel() function within the quantum-private.h file. This flaw is triggered when an attacker passes a specially crafted TIFF image file to ImageMagick for conversion. The overflow occurs during the processing of pixel data when reading a malicious TIFF, specifically in the ImportRGBAQuantum and ReadTIFFImage code paths. The vulnerability affects ImageMagick versions 7.1.0-28 and earlier, and likely other versions in the 7.x series. ImageMagick 6 is also affected, with a fix provided in commit 1f860f5 [2][3].
Exploitation
An attacker only needs to provide a malformed TIFF file to a victim or service using ImageMagick to process images. No authentication or special privileges are required, as the vulnerability is triggered during the image conversion process. The attack vector is local or remote if the application processes user-supplied images. Specific steps involve building ImageMagick with AddressSanitizer and then running ./magick convert poc /dev/null where poc is the crafted TIFF file, which demonstrates the heap-buffer-overflow [2].
Impact
Successful exploitation leads to a heap-buffer-overflow, which can cause a denial of service (DoS) through application crash or memory corruption. The overflow is of type read or write, and in the AddressSanitizer output, a READ of size 1 occurs at an invalid heap address. This could potentially be leveraged for more severe impacts, but the official description and references primarily indicate denial of service [1][2][3].
Mitigation
Red Hat has closed this issue as NOTABUG in Bugzilla, and the ImageMagick project has addressed the vulnerability in a commit for ImageMagick6 [3][4]. Users should update to a patched version of ImageMagick (e.g., for ImageMagick6, apply commit 1f860f5 or later). For ImageMagick7, no official patch was mentioned in the provided references, but upgrading to the latest version may include fixes. If no fix is available, consider restricting TIFF image processing or using alternative image libraries [1][2][4].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check in PushShortPixel() when reading TIFF pixel data leads to a heap-buffer-overflow."
Attack vector
An attacker provides a specially crafted TIFF image file to ImageMagick for conversion (e.g., via `./magick convert poc /dev/null`) [ref_id=1]. When `ReadTIFFImage` processes the malicious TIFF, it allocates a heap buffer of insufficient size (914 bytes) [ref_id=1]. The subsequent pixel-import path in `PushShortPixel` reads beyond the allocated region, causing a heap-buffer-overflow [ref_id=1]. No authentication or special privileges are required; the attacker only needs to deliver the malformed TIFF to a victim or service that uses ImageMagick to process images.
Affected code
The heap-buffer-overflow occurs in the `PushShortPixel()` function within `MagickCore/quantum-private.h` [ref_id=1]. The crash backtrace shows the call chain: `ReadTIFFImage` (coders/tiff.c:2052) → `ImportQuantumPixels` → `ImportRGBAQuantum` (quantum-import.c:4232) → `PushShortPixel` (quantum-private.h) [ref_id=1]. The overflow is a READ of size 1 at an address 10 bytes to the right of a 914-byte heap buffer allocated in `ReadTIFFImage` at tiff.c:1996 [ref_id=1].
What the fix does
The bundle does not include a patch or advisory describing a fix. The referenced issue [ref_id=1] reports the heap-buffer-overflow but does not provide a resolution. Without a published patch, the remediation guidance is unavailable from this bundle; users should monitor the ImageMagick project for a security release addressing CVE-2022-1115.
Preconditions
- inputThe victim must use ImageMagick to process a TIFF image file supplied by the attacker (e.g., via `convert` or similar command).
- authNo authentication or special privileges are required; the attacker only needs to deliver the malformed TIFF file.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- access.redhat.com/security/cve/CVE-2022-1115mitrex_refsource_MISC
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/commit/c8718305f120293d8bf13724f12eed885d830b09mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/4974mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick6/commit/1f860f52bd8d58737ad883072203391096b30b51mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.