CVE-2022-32547 Overview
CVE-2022-32547 is a Type Confusion vulnerability in ImageMagick affecting the EXIF metadata processing functionality within MagickCore/property.c. The vulnerability occurs when ImageMagick loads misaligned addresses for double types (which require 8-byte alignment) and float types (which require 4-byte alignment). When crafted or untrusted input is processed by ImageMagick, this misalignment causes undefined behavior that can negatively impact application availability and potentially lead to other security issues.
Critical Impact
Processing maliciously crafted image files with ImageMagick can trigger undefined behavior due to misaligned memory access, potentially leading to application crashes, denial of service, or exploitation of undefined behavior for code execution.
Affected Products
- ImageMagick (all versions prior to patch)
- ImageMagick6 (all versions prior to patch)
- Fedora 36
- Red Hat Enterprise Linux 6.0 and 7.0
Discovery Timeline
- June 16, 2022 - CVE-2022-32547 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-32547
Vulnerability Analysis
The vulnerability resides in ImageMagick's EXIF metadata parsing code within MagickCore/property.c. When processing EXIF format single-precision (EXIF_FMT_SINGLE) and double-precision (EXIF_FMT_DOUBLE) floating-point values, the original code performed direct pointer casting and dereference operations that violated memory alignment requirements. Specifically, the code cast a generic pointer p1 to float * or double * and immediately dereferenced it without ensuring proper memory alignment.
On architectures that enforce strict memory alignment (such as ARM, SPARC, and some RISC processors), accessing misaligned memory addresses for floating-point types triggers hardware exceptions or undefined behavior. Even on x86 architectures that tolerate misaligned access, the resulting behavior becomes undefined according to the C standard, which can lead to unpredictable results including crashes, incorrect data interpretation, or exploitable conditions.
Root Cause
The root cause is improper type casting in the EXIF metadata extraction code. The vulnerable code directly cast a byte pointer to floating-point pointer types without ensuring the pointer was aligned to the required boundary:
- float types require 4-byte alignment
- double types require 8-byte alignment
When EXIF data is read from image files, the data buffer may not be aligned according to these requirements, causing the direct cast and dereference to access misaligned memory addresses. This violates the C language specification and processor alignment requirements.
Attack Vector
The attack vector is local and requires user interaction. An attacker must craft a malicious image file containing specifically structured EXIF metadata designed to trigger the misaligned access. When a user or application processes this image using ImageMagick, the vulnerability is triggered during EXIF property extraction.
The following patch from ImageMagick demonstrates the fix applied to address the misaligned memory access:
}
case EXIF_FMT_SINGLE:
{
- EXIFMultipleValues(4,"%f",(double) *(float *) p1);
+ EXIFMultipleValues(4,"%f",(double)ReadPropertySignedLong(endian,p1));
break;
}
case EXIF_FMT_DOUBLE:
{
- EXIFMultipleValues(8,"%f",*(double *) p1);
+ EXIFMultipleValues(8,"%f",(double)ReadPropertySignedLong(endian,p1));
break;
}
case EXIF_FMT_STRING:
Source: GitHub ImageMagick Commit
The fix replaces the unsafe direct pointer cast with ReadPropertySignedLong(), a function that properly reads the value byte-by-byte while respecting endianness, thereby avoiding alignment issues entirely.
Detection Methods for CVE-2022-32547
Indicators of Compromise
- Unexpected crashes or segmentation faults in applications using ImageMagick during image processing
- Application errors related to SIGBUS signals (bus error) on strict-alignment architectures
- Abnormal termination of image processing workflows when handling files with EXIF metadata
- Core dumps indicating faults in MagickCore/property.c or EXIF-related functions
Detection Strategies
- Monitor for abnormal application behavior when processing image files with embedded EXIF metadata
- Implement file integrity monitoring for ImageMagick binaries to detect unauthorized modifications
- Use application-level logging to track image processing operations and identify suspicious patterns
- Deploy endpoint detection solutions capable of identifying exploitation attempts targeting undefined behavior
Monitoring Recommendations
- Enable verbose logging in ImageMagick configurations to capture processing errors and warnings
- Monitor system logs for repeated crashes or SIGBUS/SIGSEGV signals from ImageMagick processes
- Track image uploads and processing in web applications for anomalous file characteristics
- Implement resource monitoring to detect potential denial of service conditions
How to Mitigate CVE-2022-32547
Immediate Actions Required
- Update ImageMagick to the latest patched version immediately
- Update ImageMagick6 installations using the patched version containing commit dc070da861a015d3c97488fdcca6063b44d47a7b
- Review and restrict ImageMagick policy configurations to limit potentially dangerous operations
- Implement input validation for image files before processing with ImageMagick
Patch Information
The vulnerability has been addressed through official commits to both ImageMagick and ImageMagick6 repositories. The fix modifies the EXIF parsing code to use proper byte-by-byte reading functions instead of direct pointer casts:
- ImageMagick: Commit eac8ce4d873f28bb6a46aa3a662fb196b49b95d0
- ImageMagick6: Commit dc070da861a015d3c97488fdcca6063b44d47a7b
For distribution-specific patches, refer to:
Workarounds
- Configure ImageMagick policy to disable EXIF processing if not required for your use case
- Use sandboxing or containerization to isolate ImageMagick processes from the rest of the system
- Implement file type validation to reject untrusted image files before ImageMagick processing
- Consider alternative image processing libraries for handling untrusted input
# Example: Restrict ImageMagick policy to limit EXIF processing
# Add to /etc/ImageMagick-6/policy.xml or /etc/ImageMagick-7/policy.xml
<policy domain="system" name="max-memory-request" value="256MiB"/>
<policy domain="resource" name="temporary-path" value="/tmp"/>
<policy domain="coder" rights="none" pattern="EXIF" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
