Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-22, an invalid connected-components:keep-top value could result in a heap buffer over-read when performing the connected components operation. This issue has been patched in versions 6.9.13-48 and 7.1.2-22.
Published: 2026-06-10
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can supply an invalid keep-top value to the connected components operation in ImageMagick, causing a heap buffer over‑read. The malicious read may expose data that resides adjacent to the target memory area, potentially leaking sensitive information. This weakness is aligned with CWE‑125 (Out‑of‑Bounds Read) and CWE‑129 (Signed to Unsigned Conversion Error).

Affected Systems

The vulnerability affects any ImageMagick installation dated before version 6.9.13‑48 or 7.1.2‑22, regardless of the operating system. Any system that processes images with these releases—such as image‑processing servers, web applications, or local utilities—is susceptible.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity, and the EPSS score is not available, so the likelihood of exploitation remains uncertain. The vulnerability is not listed in CISA’s KEV catalog. An attacker would need to craft an image that triggers the connected components operation with a malicious keep‑top value. Based on the description, it is inferred that if ImageMagick is exposed through a remote interface, such as a web service that automatically processes uploaded images, the attack could be carried out remotely; otherwise it would require local access or privileged execution.

Generated by OpenCVE AI on June 10, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 6.9.13‑48 or later, or 7.1.2‑22 or later, to apply the fixed implementation.
  • If an upgrade is not immediately possible, configure or modify the application to avoid invoking the connected‑components operation with user‑supplied keep‑top values, or enforce a safe default threshold.
  • Implement input validation or sanitization for image files to ensure that any keep‑top parameter falls within expected bounds before passing data to ImageMagick.

Generated by OpenCVE AI on June 10, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4609-1 imagemagick security update
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Debian DSA Debian DSA DSA-6310-1 imagemagick security update
Github GHSA Github GHSA GHSA-vhrh-72hq-w8m7 ImageMagick: Out-of-Bounds Read in connected components when the user supplies an invalid keep-top define
History

Thu, 11 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Thu, 11 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Wed, 10 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-22, an invalid connected-components:keep-top value could result in a heap buffer over-read when performing the connected components operation. This issue has been patched in versions 6.9.13-48 and 7.1.2-22.
Title ImageMagick: Out-of-Bounds Read in connected components when the user supplies an invalid keep-top define
Weaknesses CWE-125
CWE-129
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L'}


Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T12:10:21.554Z

Reserved: 2026-05-11T21:40:08.179Z

Link: CVE-2026-45359

cve-icon Vulnrichment

Updated: 2026-06-30T03:17:26.699Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T22:16:58.070

Modified: 2026-06-11T18:41:39.570

Link: CVE-2026-45359

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-10T21:26:32Z

Links: CVE-2026-45359 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:15:28Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-129

    Improper Validation of Array Index