CVE-2023-34151
Description
A vulnerability in ImageMagick allows undefined behavior casting double to size_t in SVG, MVG, and other coders, potentially leading to crashes or undefined behavior.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A vulnerability in ImageMagick allows undefined behavior casting double to size_t in SVG, MVG, and other coders, potentially leading to crashes or undefined behavior.
Vulnerability
A vulnerability in ImageMagick arises from undefined behavior when casting a double value to size_t in several coders, including SVG, MVG, CAPTION, EMF, LABEL, PS, PS2, PS3, and WMF. This is a recurring issue similar to CVE-2022-32546, which was only partially fixed for the PCL format. The affected versions include ImageMagick 7.1.30-0 and likely earlier versions [1][2].
Exploitation
An attacker can craft a malicious SVG or MVG file with an extreme width/height value (e.g., 5e+24) that, when processed by ImageMagick (e.g., via the magick identify command), triggers the undefined behavior. No authentication is required; only user interaction to open the file is needed [2].
Impact
The undefined behavior can cause runtime errors such as crashes, as demonstrated by UBSAN detection. While the exact impact depends on the compiler and environment, the vulnerability could potentially lead to more serious consequences due to undefined behavior. The CVSS score is 6.3 (medium) as per Red Hat [1].
Mitigation
As of the report date (May 2023), no patch has been released for these coders. Users are advised to monitor ImageMagick updates and apply any fixes when available. Workarounds may include restricting input to trusted sources [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
21(expand)+ 1 more
- (no CPE)
- (no CPE)
- osv-coords19 versionspkg:apk/chainguard/imagemagick-6pkg:apk/chainguard/imagemagick-6-devpkg:apk/chainguard/imagemagick-6-docpkg:apk/chainguard/imagemagick-6-staticpkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5
< 0+ 18 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 7.1.0.9-150400.6.21.1
- (no CPE)range: < 7.1.0.9-150400.6.21.1
- (no CPE)range: < 7.1.1.17-1.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 7.1.0.9-150400.6.21.1
- (no CPE)range: < 7.1.0.9-150400.6.21.1
- (no CPE)range: < 7.1.0.9-150400.6.21.1
- (no CPE)range: < 7.1.0.9-150400.6.21.1
- (no CPE)range: < 7.0.7.34-150200.10.48.1
- (no CPE)range: < 6.8.8.1-71.189.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 6.8.8.1-71.189.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 6.8.8.1-71.189.1
- (no CPE)range: < 6.8.8.1-71.189.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing range validation when casting double width/height values to size_t/unsigned long in multiple image coders."
Attack vector
An attacker crafts a malformed SVG, MVG, or other supported image file containing an extremely large width or height value (e.g., `5e+24` or `5e+26`) that, when parsed, is cast from `double` to `size_t`/`unsigned long` [ref_id=1]. This out-of-range conversion triggers undefined behavior, which can lead to incorrect image dimensions being used in subsequent memory operations [ref_id=1]. The attacker only needs to supply the malicious file to an application using ImageMagick (e.g., via `magick identify`), with no special privileges required [ref_id=1].
Affected code
The vulnerability affects multiple coders in ImageMagick, including `coders/svg.c` (line 2829) and `coders/mvg.c` (line 180), as well as CAPTION, EMF, LABEL, PS, PS2, PS3, and WMF readers [ref_id=1]. The bug occurs in the `ReadXXXImage` functions of these coders where a width/height value stored as a `double` is cast directly to `size_t` or `unsigned long` without range checking [ref_id=1].
What the fix does
The advisory does not include a published patch for this CVE [ref_id=1]. The reporter notes that the original fix for CVE-2022-32546 (issue #4986) addressed the same class of bug only in the PCL coder, but the identical pattern of casting `double` to `size_t` without bounds validation remained in SVG, MVG, CAPTION, EMF, LABEL, PS, PS2, PS3, and WMF coders [ref_id=1]. The recommended remediation is to apply similar input validation and safe casting checks across all affected coders to ensure width/height values are within the representable range of `size_t` before conversion [ref_id=1].
Preconditions
- inputThe attacker must supply a crafted image file (SVG, MVG, or other affected format) containing an out-of-range width/height value.
- configThe target application must use an affected version of ImageMagick (e.g., 7.1.30-0) compiled with undefined behavior sanitizer or otherwise susceptible to the casting overflow.
Reproduction
Prerequisite: configure ImageMagick with UBSAN and float-cast-overflow detection enabled (e.g., `./configure CFLAGS='-g -fsanitize=address,undefined,float-cast-overflow -fsanitize-recover=address,undefined,float-cast-overflow' LDFLAGS='-fsanitize=address,undefined,float-cast-overflow -lasan -lubsan'`). Trigger: run `magick identify bitcoin.svg` (SVG sample) or `magick identify mvg:piechart.mvg` (MVG sample) using the malformed sample files from the attached zip [ref_id=1]. The runtime error `5e+24 is outside the range of representable values of type 'long unsigned int'` will be reported for SVG, and `5e+26 is outside the range of representable values of type 'long unsigned int'` for MVG [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UFQJCYJ23HWHNDOVKBHZQ7HCXXL6MM3/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2ZUHZXQ2C3JZYKPW4XHCMVVL467MA2V/mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2024/02/msg00007.htmlmitremailing-list
- access.redhat.com/security/cve/CVE-2023-34151mitre
- bugzilla.redhat.com/show_bug.cgimitre
- github.com/ImageMagick/ImageMagick/issues/6341mitre
News mentions
0No linked articles in our index yet.