Unrated severityNVD Advisory· Published Jun 16, 2023· Updated Aug 2, 2024

CVE-2023-34474

Description

A heap-based buffer overflow in ImageMagick's TIM2 image parser allows a crafted file to cause a denial of service via application crash.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-based buffer overflow in ImageMagick's TIM2 image parser allows a crafted file to cause a denial of service via application crash.

Vulnerability

A heap-based buffer overflow exists in ImageMagick's ReadTIM2ImageData() function in coders/tim2.c. The vulnerability occurs when parsing the CLUT (color lookup table) data of a TIM2 image. The original code allocated insufficient memory using AcquireQuantumMemory(1, header->clut_size), which could lead to an out-of-bounds read when processing a specially crafted file. This issue affects ImageMagick versions prior to the fix introduced in commit 1061db7f80fdc9ef572ac60b55f408f7bab6e1b0 [2].

Exploitation

An attacker must craft a malicious TIM2 image file with a manipulated CLUT size field. The attacker then tricks a local user into opening the file with ImageMagick (e.g., via display, convert, or an application that uses the library). No special privileges are required beyond the ability to present the file to the victim. Upon parsing, the insufficient buffer causes an out-of-bounds read, leading to a crash.

Impact

Successful exploitation results in a denial of service (DoS) due to application crash. The out-of-bounds read may also potentially expose sensitive memory contents, though the primary impact described is a crash. The vulnerability does not appear to allow arbitrary code execution based on available information [1][2].

Mitigation

The fix was committed to the ImageMagick repository on an undisclosed date prior to the CVE publication (2023-06-16) [2]. Users should update to a version containing this commit or later. Red Hat has acknowledged the issue and likely provided updated packages [1]. Fedora package announcements were also issued [3][4]. If an update is not immediately available, avoid opening untrusted TIM2 files with ImageMagick.

References

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

ImageMagick/Imagemagickcpe-rescue2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)
osv-coords11 versions
pkg:apk/chainguard/imagemagick-6 pkg:apk/chainguard/imagemagick-6-dev pkg:apk/chainguard/imagemagick-6-doc pkg:apk/chainguard/imagemagick-6-static pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Tumbleweed pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5
< 0+ 10 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 7.1.0.9-150400.6.24.1
- (no CPE)range: < 7.1.0.9-150400.6.24.1
- (no CPE)range: < 7.1.1.11-2.1
- (no CPE)range: < 7.1.0.9-150400.6.24.1
- (no CPE)range: < 7.1.0.9-150400.6.24.1
- (no CPE)range: < 7.1.0.9-150400.6.24.1
- (no CPE)range: < 7.1.0.9-150400.6.24.1

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Insufficient heap buffer allocation in ReadTIM2ImageData() when header->clut_size is smaller than image->colors, leading to out-of-bounds read."

Attack vector

A local attacker crafts a specially formed TIM2 image file with a CLUT size smaller than the image's color count. When a user opens this file with ImageMagick, `ReadTIM2ImageData()` allocates a heap buffer based on the undersized `header->clut_size` value. The subsequent `ReadBlob()` call reads `header->clut_size` bytes into the buffer, but later operations may read beyond the allocated region because the buffer is too small relative to `image->colors`, causing an out-of-bounds read and application crash (denial of service) [ref_id=1].

Affected code

The vulnerability is in the `ReadTIM2ImageData()` function in `coders/tim2.c`. The heap-based buffer overflow occurs during CLUT (color lookup table) data allocation: the original code allocated `1 * header->clut_size` bytes via `AcquireQuantumMemory(1, header->clut_size)`, which could be insufficient when `header->clut_size` is smaller than `image->colors`, leading to an out-of-bounds read when data is later read into the undersized buffer [ref_id=1].

What the fix does

The patch changes the allocation from `AcquireQuantumMemory(1, header->clut_size)` to `AcquireQuantumMemory(2, MagickMax(header->clut_size, image->colors))`, doubling the allocation and ensuring the buffer is at least as large as `image->colors`. It also adds `memset(clut_data, 0, 2 * MagickMax(header->clut_size, image->colors))` to zero-initialize the enlarged buffer. This prevents out-of-bounds reads by guaranteeing the allocated heap region is large enough for all subsequent operations that reference `image->colors` [ref_id=1].

Preconditions

inputAttacker must craft a TIM2 image file where header->clut_size is smaller than image->colors
inputVictim must open the crafted file with ImageMagick

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000