DescriptionDouble free vulnerability in coders/tga.c in ImageMagick 7.0.0 and later allows remote attackers to cause a denial of service (application crash) via a crafted tga file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs799524, 806442

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
imagemagick (PTS)buster8:
buster (security)8:
bullseye (security)8:
bookworm (security)8:
sid, trixie8:

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
imagemagicksourcesqueeze(not affected)
imagemagicksourcewheezy(not affected)
imagemagicksourcejessie(not affected)
imagemagicksource(unstable)8:, 806442


[jessie] - imagemagick <not-affected> (Can't reproduce crash with file)
[wheezy] - imagemagick <not-affected> (Can't reproduce crash with file)
[squeeze] - imagemagick <not-affected> (Can't reproduce crash with file)
The problem can only be triggered with recent versions of ImageMagick (8: in experimental is vulnerable, 8: in sid is not vulnerable, older versions are not vulnerable)

Search for package or bug name: Reporting problems