Impact
ImageMagick is an image manipulation library. A failure to allocate memory during CheckPrimitiveExtent results in a heap‑use‑after‑free, which is a use‑after‑free flaw (CWE‑416) and also a memory operation error (CWE‑825). The flaw causes the program to crash but does not directly grant code execution. The vulnerability can be triggered when an attacker supplies a specially crafted image to a service that uses the vulnerable path, leading to a denial‑of‑service condition.
Affected Systems
Versions prior to 6.9.13‑50 and 7.1.2‑25 of ImageMagick are affected. The vulnerability applies to the ImageMagick application across all supported platforms where older binaries are used.
Risk and Exploitability
The CVSS score is 5.9, indicating a moderate risk assessment. EPSS score is < 1%, showing a very low likelihood of exploitation. The flaw is not listed in CISA’s KEV catalog. The attack would likely occur when an attacker supplies a specially crafted image file to a service that invokes the vulnerable allocation path, potentially causing the application to crash.
OpenCVE Enrichment
Github GHSA