Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, when performing a polynomial distortion an out of bounds over-read of 24 bytes can occur when specifying specific arguments. This issue has been patched in versions 6.9.13-47 and 7.1.2-22.
Published: 2026-06-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap buffer over‑read in ImageMagick's polynomial distortion operation. When an attacker supplies specially crafted distortion parameters, ImageMagick can read 24 bytes beyond a valid memory buffer. Based on the description, it is inferred that this can expose sensitive data from memory or cause the application to crash, potentially leading to a denial‑of‑service or the leakage of private information.

Affected Systems

Affected versions include ImageMagick 6.x up to, but not including, 6.9.13‑47, and ImageMagick 7.x up to, but not including, 7.1.2‑22. All software that relies on these versions—for example, web servers or content management systems that process images—may be vulnerable unless the library has been upgraded.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. Because the EPSS score is not available and the vulnerability is not in the CISA KEV catalog, the overall exploitation likelihood appears low, but still possible via local or network‑based image submission if the target application accepts untrusted image data. Based on the description, it is inferred that the attack requires delivery of a malformed image to the ImageMagick process; thus the attack vector is likely through local or remote image processing services.

Generated by OpenCVE AI on June 10, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to 6.9.13‑47 or newer (including 7.1.2‑22 and later).
  • Restart all services or applications that depend on ImageMagick so that the updated library is loaded.
  • Implement strict validation of image inputs and restrict image processing to trusted sources to reduce the attack surface.

Generated by OpenCVE AI on June 10, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4609-1 imagemagick security update
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Debian DSA Debian DSA DSA-6310-1 imagemagick security update
Github GHSA Github GHSA GHSA-pfvh-m9xv-8966 ImageMagick: Heap Buffer Over-Read of a 4 bytes in distort operation.
History

Tue, 23 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Thu, 11 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 10 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, when performing a polynomial distortion an out of bounds over-read of 24 bytes can occur when specifying specific arguments. This issue has been patched in versions 6.9.13-47 and 7.1.2-22.
Title ImageMagick: Heap Buffer Over-Read of a 4 bytes in distort operation.
Weaknesses CWE-125
CWE-129
References
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}


Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T15:53:25.305Z

Reserved: 2026-05-12T20:31:43.449Z

Link: CVE-2026-45624

cve-icon Vulnrichment

Updated: 2026-06-11T12:46:06.666Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T22:16:58.723

Modified: 2026-06-11T18:41:43.880

Link: CVE-2026-45624

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-10T21:29:28Z

Links: CVE-2026-45624 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:00:20Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-129

    Improper Validation of Array Index