Impact
An attacker can supply an invalid keep-top value to the connected components operation in ImageMagick, causing a heap buffer over‑read. The malicious read may expose data that resides adjacent to the target memory area, potentially leaking sensitive information. This weakness is aligned with CWE‑125 (Out‑of‑Bounds Read) and CWE‑129 (Signed to Unsigned Conversion Error).
Affected Systems
The vulnerability affects any ImageMagick installation dated before version 6.9.13‑48 or 7.1.2‑22, regardless of the operating system. Any system that processes images with these releases—such as image‑processing servers, web applications, or local utilities—is susceptible.
Risk and Exploitability
The CVSS score of 5.7 indicates moderate severity, and the EPSS score is not available, so the likelihood of exploitation remains uncertain. The vulnerability is not listed in CISA’s KEV catalog. An attacker would need to craft an image that triggers the connected components operation with a malicious keep‑top value. Based on the description, it is inferred that if ImageMagick is exposed through a remote interface, such as a web service that automatically processes uploaded images, the attack could be carried out remotely; otherwise it would require local access or privileged execution.
OpenCVE Enrichment
Debian DLA
Debian DSA
Github GHSA