CVE-2019-10649Missing Release of Memory after Effective Lifetime in Imagemagick

CWE-401Missing Release of Memory after Effective LifetimeCWE-400Uncontrolled Resource ConsumptionCWE-772Missing Release of Resource after Effective Lifetime8 documents7 sources
Severity
5.5MEDIUMNVD
EPSS
0.5%
top 34.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
ImagemagickDebian ImagemagickCanonical Ubuntu Linux+1 more
Timeline
PublishedMar 30
Latest updateMay 13

Description

In ImageMagick 7.0.8-36 Q16, there is a memory leak in the function SVGKeyValuePairs of coders/svg.c, which allows an attacker to cause a denial of service via a crafted image file.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

debiandebian/imagemagick< imagemagick 8:6.9.11.24+dfsg-1 (bookworm)
Debianimagemagick/imagemagick< 8:6.9.11.24+dfsg-1+3

Also affects: Debian Linux 10.0, Ubuntu Linux 16.04, 18.04, 18.10, 19.04

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-x7gh-h4gm-34v3: In ImageMagick 72022-05-13
OSV
CVE-2019-10649: In ImageMagick 72019-03-30

📋Vendor Advisories

3
Ubuntu
ImageMagick vulnerabilities2019-06-25
Red Hat
ImageMagick: memory leak in SVGKeyValuePairs of coders/svg.c that leads to denial of service via crafted image file2019-03-28
Debian
CVE-2019-10649: imagemagick - In ImageMagick 7.0.8-36 Q16, there is a memory leak in the function SVGKeyValueP...2019

💬Community

2
Bugzilla
CVE-2019-10649 ImageMagick: memory leak in SVGKeyValuePairs of coders/svg.c that leads to denial of service via crafted image file [fedora-all]2019-04-16
Bugzilla
CVE-2019-10649 ImageMagick: memory leak in SVGKeyValuePairs of coders/svg.c that leads to denial of service via crafted image file2019-04-16