CVE-2021-3574: 
ImageMagick vulnerability analysis and mitigation

A vulnerability (CVE-2021-3574) was discovered in ImageMagick version 7.0.11-5, where executing a crafted file with the convert command results in memory leaks detected by AddressSanitizer (ASAN). The vulnerability was assigned a CVSS v3.1 base score of 3.3 (LOW) (NVD).

The vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime). When processing a crafted TIFF file using the convert command, ASAN detects multiple memory leaks, including a direct leak of 152 bytes and indirect leaks totaling over 15 million bytes across multiple allocations (ImageMagick Issue). The vulnerability has a CVSS vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L, indicating local access, low complexity, no privileges required, and user interaction required (NVD).

The vulnerability results in memory leaks when processing crafted files, which could lead to resource exhaustion and potential denial of service. The impact is considered low as it requires local access and user interaction, with no direct impact on confidentiality or integrity (NVD).

The vulnerability has been patched in multiple versions across different distributions. Fixes were implemented in ImageMagick version 6.9.12.62 and later. Updates are available for Fedora 35, 36, and 37, as well as Debian systems (Fedora Update, Debian Update).