Description
ImageMagick before 7.1.2-19 contains an out-of-bounds access vulnerability in ConnectedComponentsImage() when processing connected-components artifacts with invalid indices. Attackers can trigger access violations by specifying malformed connected-components definitions via CLI, causing denial of service or potential code execution.
Published: 2026-06-24
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick versions before 7.1.2-19 contain a flaw in the ConnectedComponentsImage() function. The function reads a connected‑components artifact that can specify an index outside the bounds of the allocated array. When an attacker supplies a malformed artifact through the command‑line interface, the library can read memory it should not access, triggering an access violation. The result is a denial of service but the read may also expose or alter data, creating a path to arbitrary code execution if the memory corruption is leveraged. The weakness is a classic out‑of‑bounds read (CWE‑125).

Affected Systems

The vulnerability affects all installations of ImageMagick before release 7.1.2‑19. This includes every system that relies on the standard ImageMagick distribution, regardless of platform, as the flaw exists in the core library code.

Risk and Exploitability

The CVSS score is 4.8, indicating a moderate severity, and the EPSS score is not available, so the likelihood of widespread exploitation cannot be quantified from the data presented. The vulnerability is not listed in CISA's KEV catalog. Attackers would need to craft a specific connected‑components artifact and invoke ImageMagick with that input, typically through the command line. The absence of a public exploit suggests that exploitation requires environment preparation, but the denial of service impact remains useful for attackers seeking to degrade services.

Generated by OpenCVE AI on June 24, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑19 or later, which contains a fix for the out‑of‑bounds access in ConnectedComponentsImage()
  • If an immediate upgrade is not possible, avoid processing connected‑components artifacts from untrusted sources and disable the feature in the configuration if supported
  • Implement resource limits and monitor for abnormal crashes or access violations when ImageMagick is invoked to detect potential exploitation attempts

Generated by OpenCVE AI on June 24, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4680-1 imagemagick security update
Debian DSA Debian DSA DSA-6383-1 imagemagick security update
Github GHSA Github GHSA GHSA-pmpg-6pww-fg6q ImageMagick has out-of-bounds access in ConnectedComponentsImage() via CLI-controlled connected-components:* artifacts
History

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Low


Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description ImageMagick before 7.1.2-19 contains an out-of-bounds access vulnerability in ConnectedComponentsImage() when processing connected-components artifacts with invalid indices. Attackers can trigger access violations by specifying malformed connected-components definitions via CLI, causing denial of service or potential code execution.
Title ImageMagick - Out-of-bounds Access in ConnectedComponentsImage via connected-components Artifact
First Time appeared Imagemagick
Imagemagick imagemagick
Weaknesses CWE-125
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
Vendors & Products Imagemagick
Imagemagick imagemagick
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-25T13:20:32.154Z

Reserved: 2026-06-21T02:05:21.920Z

Link: CVE-2026-56370

cve-icon Vulnrichment

Updated: 2026-06-25T13:20:28.604Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-24T11:53:21Z

Links: CVE-2026-56370 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:45:02Z

Weaknesses