CVE-2015-8902 Imagemagick CVE debrief

Who should care

Operators and developers who use ImageMagick to process untrusted image or document content, especially workflows that accept PDB files or convert user-supplied files automatically.

Technical summary

The vulnerable path is ReadBlobByte in coders/pdb.c. According to the supplied NVD data, malformed PDB input can cause the parser to loop indefinitely rather than terminate cleanly, resulting in availability impact only (C:N/I:N/A:H). The published CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating remote reachability with user interaction required. The affected version range is ImageMagick 6.0 through versions before 6.9.0-5 Beta.

Defensive priority

Medium priority for any environment that processes untrusted PDB files; lower urgency if PDB support is disabled and ImageMagick is confined to trusted inputs.

Recommended defensive actions

• Upgrade ImageMagick to 6.9.0-5 Beta or later, as indicated by the affected version range in the supplied record.
• Disable or restrict PDB parsing if your environment does not require it.
• Run ImageMagick in a sandboxed service with timeouts and resource limits to reduce the impact of parser hangs.
• Add monitoring for stuck or long-running image conversion jobs so infinite-loop behavior is detected quickly.
• Treat user-supplied PDB files as untrusted and route them through controlled validation and conversion workflows.

Evidence notes

This debrief is based on the supplied NVD CVE record and its referenced materials. The record states that ReadBlobByte in coders/pdb.c can loop indefinitely on crafted PDB input, and that the issue affects ImageMagick 6.x before 6.9.0-5 Beta. The supplied source metadata includes a broken Trac reference and several advisory/mailing-list references; no KEV entry was supplied. Timing context uses the CVE publication date of 2017-02-27 and the record modification date of 2026-05-13.

Official resources