Impact
The vulnerability is a heap buffer over‑read in ImageMagick's polynomial distortion operation. When an attacker supplies specially crafted distortion parameters, ImageMagick can read 24 bytes beyond a valid memory buffer. Based on the description, it is inferred that this can expose sensitive data from memory or cause the application to crash, potentially leading to a denial‑of‑service or the leakage of private information.
Affected Systems
Affected versions include ImageMagick 6.x up to, but not including, 6.9.13‑47, and ImageMagick 7.x up to, but not including, 7.1.2‑22. All software that relies on these versions—for example, web servers or content management systems that process images—may be vulnerable unless the library has been upgraded.
Risk and Exploitability
The CVSS score of 5.1 indicates moderate severity. Because the EPSS score is not available and the vulnerability is not in the CISA KEV catalog, the overall exploitation likelihood appears low, but still possible via local or network‑based image submission if the target application accepts untrusted image data. Based on the description, it is inferred that the attack requires delivery of a malformed image to the ImageMagick process; thus the attack vector is likely through local or remote image processing services.
OpenCVE Enrichment
Debian DLA
Debian DSA
Github GHSA