CVE-2021-3596

Name of the Vulnerable Software and Affected Versions ImageMagick versions prior to 7.0.10-31

Description The issue is related to a NULL pointer dereference flaw in the ReadSVGImage() function of the coders/svg.c component. This flaw is caused by not checking the return value from libxml2's xmlCreatePushParserCtxt() and using the value directly, leading to a crash and segmentation fault. The flaw can be exploited by a remote attacker to cause a denial of service.

Recommendations For versions prior to 7.0.10-31, update to version 7.0.10-31 or later to resolve the issue. As a temporary workaround, consider disabling the ReadSVGImage() function in coders/svg.c to prevent exploitation until a patch is applied. Restrict access to the coders/svg.c component to minimize the risk of exploitation. Avoid using the xmlCreatePushParserCtxt() function from libxml2 in the affected ReadSVGImage() function until the issue is resolved.