Impact
ImageMagick versions prior to 7.1.2-15 (and 6.x prior to 6.9.13-40) contain a heap out‑of‑bounds read in the PCD decoder’s DecodeImage loop. A malicious or crafted PCD file can trigger a one‑byte read beyond the bounds of a heap buffer during image decoding, causing the process to crash and potentially expose an adjacent heap byte. The primary impact is therefore denial of service, with a secondary risk of leaking sensitive information stored near the read location.
Affected Systems
All systems that run the affected ImageMagick binaries—specifically ImageMagick releases before 7.1.2-15 and before 6.9.13-40—use the vulnerable PCD decoder. Administrators should verify the exact build numbers on any production or public servers that process PCD images.
Risk and Exploitability
The CVSS score of 6.3 classifies the vulnerability as a moderate risk. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that large‑scale exploitation has not yet been observed. However, the flaw can be triggered simply by feeding a crafted PCD file into the image decoder, which may be possible both locally and remotely if a service accepts arbitrary image uploads. Attackers would typically need access to the filesystem or API that allows image uploads; no privilege escalation or remote code execution is required.
OpenCVE Enrichment
Debian DSA