Impact
ImageMagick’s DCM decoder lacks a validation step that can produce an image with invalid dimensions. When such an image is processed, the missing check can trigger crashes in dependent operations, disrupting the availability of the software and any services that rely on it. The weakness is an input validation flaw, which is classified as CWE‑20 and CWE‑1284.
Affected Systems
The affected product is ImageMagick from the ImageMagick project. Vulnerable builds are any versions earlier than 6.9.13‑48 and 7.1.2‑24. The security advisory confirms that these releases have been patched in 6.9.13‑48 and 7.1.2‑24 respectively.
Risk and Exploitability
The CVSS score of 7.5 indicates high severity. The EPSS score of 0.00263 indicates a very low but nonzero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower likelihood of widespread exploitation at present. The likely attack vector is the supply of a crafted DCM image through any interface that invokes the decoder, such as image upload endpoints or import functions. Exploitation would lead to a crash rather than arbitrary code execution, and no additional conditions are asserted in the advisory.
OpenCVE Enrichment
Debian DLA
Debian DSA
Github GHSA