Impact
ImageMagick before 7.1.2‑15 and 6.9.x before 6.9.13‑40 contains an integer overflow (CWE‑190) in the PSB (PSD v2) RLE decoding path, which triggers a heap out‑of‑bounds read (C on 32‑bit builds. A crafted PSB file can therefore expose sensitive data from the program’s memory or cause a crash, potentially allowing an attacker to learn confidential information.
Affected Systems
The vulnerable products are ImageMagick on all platforms that use the 32‑bit build of the library. Affected releases include every version before 7.1.2‑15 and 6.9.13‑40; upgrading to 7.1.2‑15 or later and 6.9.13‑40 or later eliminates the flaw.
Risk and Exploitability
The CVSS score of 6.3 classifies the vulnerability as medium severity, and it is not listed in the CISA KEV catalog. The EPSS score of < 1% indicates a very low but non‑zero probability of exploitation. Because the flaw is a read‑only memory issue, the impact is limited to information disclosure or a crash. The attack requires the execution of a malicious PSB file. The potential for remote exploitation is inferred based on the need for a malicious file to be processed by an application that accepts untrusted images; however, the description does not explicitly state that remote attack is possible, so such a scenario remains speculative. Overall, the risk is moderate, with no known exploitation evidence beyond the described out‑of‑bounds read.
OpenCVE Enrichment
Debian DSA