PatchSiren

PatchSiren cyber security CVE debrief

CVE-2015-8900 Imagemagick CVE debrief

CVE-2015-8900 is a denial-of-service issue in ImageMagick’s HDR parser. The vulnerable ReadHDRImage function in coders/hdr.c can loop indefinitely when it processes a crafted HDR file. NVD rates the issue 5.5 (Medium) and maps it to CWE-835, with impact limited to availability.

Vendor
Imagemagick
Product
CVE-2015-8900
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-27
Original CVE updated
2026-05-13
Advisory published
2017-02-27
Advisory updated
2026-05-13

Who should care

Teams that run ImageMagick in production, especially services or desktop workflows that accept untrusted HDR files. Security and operations teams should care most if image conversion jobs are exposed to user-supplied content or can be used to stall pipelines.

Technical summary

NVD describes the flaw as an infinite loop in ReadHDRImage within coders/hdr.c, triggered by a crafted HDR file. The NVD CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating no confidentiality or integrity impact but high availability impact. NVD maps the weakness to CWE-835 (infinite loop) and marks affected ImageMagick ranges as 6.0 through 6.9.3-10 and 7.0.1-0 through 7.0.5-0.

Defensive priority

Medium. This is an availability issue rather than a code-execution flaw, but it can still stall image-processing services or batch jobs that handle attacker-controlled HDR input. Patch during normal maintenance, and prioritize faster if ImageMagick is used in exposed or high-throughput conversion paths.

Recommended defensive actions

  • Inventory ImageMagick deployments and compare them against the affected ranges listed by NVD: 6.0 through 6.9.3-10 and 7.0.1-0 through 7.0.5-0.
  • Apply the vendor or downstream package fix referenced in the ImageMagick advisory, the GitHub commit, or your distribution’s security update.
  • Restrict or sandbox workflows that process untrusted HDR files so a hung conversion job cannot block broader services.
  • Add job timeouts, watchdogs, or worker restarts for image-processing pipelines to reduce the operational impact of infinite loops.
  • Monitor for unusually long-running or stuck ImageMagick processes, especially where user-uploaded images are converted automatically.

Evidence notes

The source corpus includes the NVD CVE record, published 2017-02-27 and modified 2026-05-13. The description states that ReadHDRImage in coders/hdr.c can be forced into an infinite loop by a crafted HDR file. NVD lists CWE-835 and the CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The affected version ranges are taken from NVD CPE criteria. References in the corpus include an ImageMagick vendor advisory, Openwall mailing list posts, a Red Hat bug, and a GitHub commit. Two Trac references are marked broken in the supplied metadata. The supplied enrichment does not place this CVE in CISA KEV.

Official resources

Publicly published in the CVE/NVD record on 2017-02-27, with the NVD record later modified on 2026-05-13. The supplied enrichment indicates no CISA KEV listing.