Description
ImageMagick before 7.1.2-19 contains an out-of-bounds access vulnerability in ConnectedComponentsImage() when processing connected-components artifacts with invalid indices. Attackers can trigger access violations by specifying malformed connected-components definitions via CLI, causing denial of service or potential code execution.
Published: 2026-06-24
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick versions before 7.1.2-19 contain a flaw in the ConnectedComponentsImage() function. The function reads a connected‑components artifact that can specify an index outside the bounds of the allocated array. When an attacker supplies a malformed artifact through the command‑line interface, the library can read memory it should not access, triggering an access violation. The result is a denial of service but the read may also expose or alter data, creating a path to arbitrary code execution if the memory corruption is leveraged. The weakness is a classic out‑of‑bounds read (CWE‑125).

Affected Systems

The vulnerability affects all installations of ImageMagick before release 7.1.2‑19. This includes every system that relies on the standard ImageMagick distribution, regardless of platform, as the flaw exists in the core library code.

Risk and Exploitability

The CVSS score is 4.8, indicating a moderate severity, and the EPSS score is not available, so the likelihood of widespread exploitation cannot be quantified from the data presented. The vulnerability is not listed in CISA's KEV catalog. Attackers would need to craft a specific connected‑components artifact and invoke ImageMagick with that input, typically through the command line. The absence of a public exploit suggests that exploitation requires environment preparation, but the denial of service impact remains useful for attackers seeking to degrade services.

Generated by OpenCVE AI on June 24, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑19 or later, which contains a fix for the out‑of‑bounds access in ConnectedComponentsImage()
  • If an immediate upgrade is not possible, avoid processing connected‑components artifacts from untrusted sources and disable the feature in the configuration if supported
  • Implement resource limits and monitor for abnormal crashes or access violations when ImageMagick is invoked to detect potential exploitation attempts

Generated by OpenCVE AI on June 24, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pmpg-6pww-fg6q ImageMagick has out-of-bounds access in ConnectedComponentsImage() via CLI-controlled connected-components:* artifacts
History

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description ImageMagick before 7.1.2-19 contains an out-of-bounds access vulnerability in ConnectedComponentsImage() when processing connected-components artifacts with invalid indices. Attackers can trigger access violations by specifying malformed connected-components definitions via CLI, causing denial of service or potential code execution.
Title ImageMagick - Out-of-bounds Access in ConnectedComponentsImage via connected-components Artifact
First Time appeared Imagemagick
Imagemagick imagemagick
Weaknesses CWE-125
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
Vendors & Products Imagemagick
Imagemagick imagemagick
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T11:53:21.113Z

Reserved: 2026-06-21T02:05:21.920Z

Link: CVE-2026-56370

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:45:02Z

Weaknesses