CVE-2021-3596NULL Pointer Dereference in Imagemagick

CWE-476NULL Pointer Dereference6 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 61.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
ImagemagickDebian LinuxFedoraproject Fedora+1 more
Timeline
PublishedFeb 24
Latest updateFeb 25

Description

A NULL pointer dereference flaw was found in ImageMagick in versions prior to 7.0.10-31 in ReadSVGImage() in coders/svg.c. This issue is due to not checking the return value from libxml2's xmlCreatePushParserCtxt() and uses the value directly, which leads to a crash and segmentation fault.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

NVDimagemagick/imagemagick< 7.0.10-31
Debianimagemagick/imagemagick< 8:6.9.11.57+dfsg-1+3
CVEListV5imagemagick/imagemagickImageMagick 7.0.10-31

Also affects: Debian Linux 9.0, Fedora 34, Enterprise Linux 5.0, 6.0, 7.0

🔴Vulnerability Details

3
GHSA
GHSA-8jv5-qv7g-fm4r: A NULL pointer dereference flaw was found in ImageMagick in versions prior to 72022-02-25
CVEList
CVE-2021-3596: A NULL pointer dereference flaw was found in ImageMagick in versions prior to 72022-02-24
OSV
CVE-2021-3596: A NULL pointer dereference flaw was found in ImageMagick in versions prior to 72022-02-24

📋Vendor Advisories

2
Debian
CVE-2021-3596: imagemagick - A NULL pointer dereference flaw was found in ImageMagick in versions prior to 7....2021
Red Hat
ImageMagick: NULL pointer dereference in ReadSVGImage() in coders/svg.c2020-09-25
CVE-2021-3596 — NULL Pointer Dereference in Imagemagick | cvebase