ImageMagick SIXEL Decoder Has Signed Integer Overflow, Leading to Memory Corruption

Vulnerability

Overview

A signed integer overflow vulnerability exists in ImageMagick's SIXEL decoder, affecting versions prior to 7.1.2-15 and 6.9.13-40 [2]. The flaw occurs during buffer reallocation operations where pointer arithmetic using signed 32-bit integers overflows, leading to memory corruption [4]. This is a classic integer overflow issue in a C-based image processing library that handles a wide range of formats [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious SIXEL image file and inducing the victim to process it with ImageMagick or an application that uses the library [2]. No authentication is required, and the attack can be delivered remotely via common vectors such as email attachments, web uploads, or automated processing pipelines [1]. The SIXEL decoder is invoked when the library processes the specially crafted file, triggering the overflow during memory reallocation [4].

Impact

Successful exploitation can result in memory corruption and denial of service, potentially crashing the application or causing unpredictable behavior [2]. While the description does not confirm remote code execution, memory corruption vulnerabilities in image decoders have historically been leveraged for code execution in other contexts. The primary impact is availability, but integrity and confidentiality could be affected if the corruption leads to further exploitation [4].

Mitigation

The vulnerability is patched in ImageMagick versions 7.1.2-15 and 6.9.13-40 [2]. Users should update to these versions or later. For those unable to update, a workaround is to disable the SIXEL decoder in the policy.xml configuration file, though this may affect functionality [1]. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.