Impact
A single‑byte out‑of‑bounds read occurs when ImageMagick generates an IPTC output file from a malicious input. This flaw, identified as CWE‑125 and CWE‑191, allows an attacker to read memory beyond the intended buffer, potentially exposing sensitive data from the process. The vulnerability does not provide code execution or denial‑of‑service capabilities, but it can leak internal data, thereby compromising confidentiality.
Affected Systems
ImageMagick versions prior to 6.9.13‑47 and 7.1.2‑22 are affected. Users employing older releases of the core ImageMagick library should upgrade to the specified patched versions or later.
Risk and Exploitability
The CVSS score of 5.1 indicates a moderate impact. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, suggesting limited active exploitation. The attack vector is inferred to be local: a malicious file input that an application using ImageMagick processes. An attacker needs to supply crafted input to an application that writes IPTC data, making exploitation plausible in controlled environments.
OpenCVE Enrichment
Debian DLA
Debian DSA
Github GHSA