MEDIUM 5.7

CVE-2026-45359: ImageMagick Heap Buffer Over-Read in Connected Components

ImageMagick, a widely-used image editing library, contains a memory safety flaw in its connected components operation. When the connected-components:keep-top parameter receives an invalid value, the software can read beyond allocated memory boundaries. While the vulnerability requires specific input conditions and local system access, it may allow an attacker to extract sensitive data or crash the application. Versions 6.9.13-48 and 7.1.2-22 patch this issue.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.7 MEDIUM · CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
Weaknesses (CWE)
CWE-125, CWE-129
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-07-15

NVD description (verbatim)

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-22, an invalid connected-components:keep-top value could result in a heap buffer over-read when performing the connected components operation. This issue has been patched in versions 6.9.13-48 and 7.1.2-22.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45359 is a heap buffer over-read vulnerability in ImageMagick's connected components operation. The flaw occurs when processing an invalid connected-components:keep-top configuration value, causing the software to read memory outside intended buffer boundaries. The issue maps to CWE-125 (Out-of-bounds Read) and CWE-129 (Improper Validation of Array Index), reflecting both the memory access violation and the underlying input validation deficiency. The local attack vector, high complexity requirement, and lack of impact on integrity suggest this is primarily an information disclosure risk with secondary availability concerns.

Business impact

Organizations using ImageMagick for automated image processing workflows—including web applications, content management systems, and media platforms—face two primary risks. First, maliciously crafted or malformed image files could be weaponized to exfiltrate sensitive data from the server's memory. Second, processing such images could trigger a denial-of-service condition, interrupting legitimate image operations. The severity depends on deployment context: public-facing services accepting user-uploaded images carry higher risk than internal-only installations.

Affected systems

ImageMagick versions prior to 6.9.13-48 (legacy branch) and 7.1.2-22 (current branch) are affected. Any system running these versions and invoking connected components operations—typically through image magick command-line tools, library calls, or higher-level frameworks that wrap ImageMagick—is potentially vulnerable. Common affected deployments include web servers, containerized services, and document processing pipelines.

Exploitability

Exploitation requires local system access and intentional manipulation of the connected-components:keep-top parameter with an invalid value. The attack is not remotely exploitable by default, though remote paths exist if the application exposes image processing APIs without strict input validation. Proof-of-concept exploitation would require either direct command-line access or crafted image files paired with specific ImageMagick invocations. The complexity is elevated because the attacker must understand the underlying operation and trigger conditions.

Remediation

Upgrade ImageMagick to version 6.9.13-48 or later (legacy users) or 7.1.2-22 or later (current users). Before upgrading, audit application code to identify where connected components operations are used and confirm no custom tooling directly exposes the vulnerable parameter to untrusted input. For environments where immediate patching is infeasible, restrict image processing to trusted sources and monitor for unusual memory access patterns.

Patch guidance

Apply the patched versions 6.9.13-48 (for the 6.9.x branch) or 7.1.2-22 (for the 7.1.x branch) as released by the ImageMagick project. Verify the patch version against official distribution channels (imagemagick.org or your package manager). Plan deployment during a maintenance window to avoid interrupting image processing services. Test patched versions against your existing image processing workflows to ensure compatibility before production rollout.

Detection guidance

Monitor ImageMagick processes for abnormal behavior: crashes with memory-related error messages, segmentation faults during image operations, or unusual CPU spikes during connected components processing. Implement input validation upstream of ImageMagick to reject image files or parameters that do not conform to expected specifications. Consider sandboxing ImageMagick in containerized or virtual environments to limit memory exposure. Review application logs for exceptions or errors tied to connected-components operations, particularly those referencing keep-top parameters.

Why prioritize this

Although the CVSS score of 5.7 (MEDIUM) reflects the local-only attack vector and high complexity, the vulnerability warrants timely attention because it affects a foundational image processing library used across diverse environments. The information disclosure risk is meaningful in multi-tenant or shared hosting scenarios. The lack of known public exploitation and absence from the CISA KEV catalog suggest lower immediate pressure, but organizations processing untrusted image content should prioritize patching. Risk should be reassessed upward for any service that exposes image processing to the internet.

Risk score, explained

The CVSS 3.1 score of 5.7 (MEDIUM) reflects a local attack vector (AV:L) with high attack complexity (AC:H), requiring no privileges or user interaction. The vector shows high confidentiality impact (C:H), indicating potential data leakage, but no integrity impact (I:N) and low availability impact (A:L). This profile suggests the primary threat is unauthorized memory disclosure rather than system compromise or widespread outage. Organizations in high-confidentiality environments or those processing sensitive user data should treat this as higher priority than the base score alone indicates.

Frequently asked questions

Is there a public exploit for this vulnerability?

No. As of the current date, there is no evidence of public exploitation or proof-of-concept code. The vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no known active attacks in the wild.

Can this be exploited remotely without local access?

Not in the default configuration. The vulnerability requires local system access or the ability to supply a crafted image file to an ImageMagick process. However, if your application exposes image processing APIs over the network without proper input validation, the attack surface could be extended. Review how ImageMagick is invoked in your environment.

What should development teams do if they embed ImageMagick in a product?

Update to the patched versions immediately. Additionally, review whether your application directly exposes or allows customization of the connected-components:keep-top parameter. If it does, add strict input validation to reject invalid values before passing them to ImageMagick.

Are there workarounds if we cannot patch immediately?

Yes. Limit image processing to trusted, internal sources only. Disable or restrict connected components operations if not essential to your use case. Implement tight sandboxing using containers, virtual machines, or OS-level restrictions to limit memory access. These are temporary mitigations; patching should remain the priority.

This analysis is provided for informational purposes and reflects publicly available information as of the publication date. Patch versions, CVSS scores, and CWE classifications are derived from official CVE data. SEC.co does not guarantee the completeness or accuracy of remediation guidance for all deployment contexts. Test all patches in non-production environments before production deployment. For the most current information, consult the ImageMagick project's official advisories and your organization's security tools. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).