Impact
An attacker who can connect to the distributed pixel cache service of ImageMagick can trigger a race condition that results in the server process hijacking a file descriptor. This flaw is identified as a race condition with incomplete synchronization, highlighting a concurrency issue in the handling of shared resources.
Affected Systems
ImageMagick installations built prior to versions 6.9.13-48 and 7.1.2-23 are affected. The vulnerability applies when the distributed pixel cache service (magick -distribute-cache) is exposed to potential attackers.
Risk and Exploitability
The CVSS score of 4.1 indicates moderate impact. The EPSS score of less than 1 % shows a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be able to connect to the distributed cache service, implying that exposure of this service to untrusted networks is a prerequisite.
OpenCVE Enrichment
Debian DLA
Debian DSA
Github GHSA