PatchSiren cyber security CVE debrief

CVE-2015-8903 Imagemagick CVE debrief

CVE-2015-8903 is a denial-of-service issue in ImageMagick’s VICAR image parser. A crafted VICAR file can cause the ReadVICARImage function to enter an infinite loop, which can hang processing workflows and exhaust worker capacity. NVD assigns the issue a CVSS 3.1 score of 6.5 (medium) with availability impact only.

Vendor: Imagemagick
Product: CVE-2015-8903
CVSS: MEDIUM 6.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-27
Original CVE updated: 2026-05-13
Advisory published: 2017-02-27
Advisory updated: 2026-05-13

Who should care

Teams that run ImageMagick on user-supplied or externally sourced images should care most, especially web services, document conversion pipelines, thumbnailers, and batch processing jobs. Any environment where a hung image parser can block workers or queue capacity is at risk.

Technical summary

NVD describes CVE-2015-8903 as an infinite-loop denial of service in coders/vicar.c, specifically the ReadVICARImage function. The vulnerability affects ImageMagick 6.x from 6.0 up to, but not including, 6.9.0-5 Beta. NVD maps the weakness to CWE-835 (Loop with Unreachable Exit Condition) and lists the CVSS vector as AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.

Defensive priority

Medium. The issue is remotely triggerable with low attack complexity and can fully disrupt availability, but it does not indicate code execution or data compromise in the supplied record.

Recommended defensive actions

Upgrade ImageMagick to 6.9.0-5 Beta or a later fixed release.
Treat VICAR and other untrusted image inputs as hostile and validate or reject them before processing.
Run image conversion in isolated, resource-limited workers so a parser hang cannot stall the entire service.
Add execution timeouts and watchdogs around image-processing jobs to recover from infinite loops or stuck workers.
Review whether your deployment actually accepts VICAR files; if not, disable or remove unsupported coders where feasible.
Check the vendor and issue-tracking references for any environment-specific guidance tied to your ImageMagick build or distribution package.

Evidence notes

The supplied NVD record marks the vulnerability as affecting cpe:2.3:a:imagemagick:imagemagick:* with versionStartIncluding 6.0 and versionEndExcluding 6.9.0-5. The description states that ReadVICARImage in coders/vicar.c can be driven into an infinite loop by a crafted VICAR file. The record includes CVSS 3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H and CWE-835. Reference metadata also includes vendor, mailing-list, and issue-tracker links; one Trac reference is marked broken in the supplied corpus.

Official resources

CVE-2015-8903 CVE record
CVE.org
CVE-2015-8903 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Broken Link
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
Mitigation or vendor reference
[email protected] - Exploit, Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Exploit, Issue Tracking, Patch, Third Party Advisory

NVD published this CVE record on 2017-02-27T22:59:00.307Z; the supplied source record was last modified on 2026-05-13T00:24:29.033Z.