ImageMagick, Out-of-Bounds Read, CVE-2026-??? (Moderate)

Listen to this Post

The vulnerability occurs in the `ConnectedComponentsImage()` function when processing a user-supplied invalid `connected-components:keep-top` define value. During connected components analysis, this define specifies the maximum number of top components to retain. If an out-of-range index is provided, the function attempts to read from a heap-allocated component list beyond its allocated bounds, triggering a heap buffer over-read. This out-of-bounds read can lead to a crash (denial of service) or potentially disclose sensitive memory contents. The flaw resides in the `MagickCore/vision.c` module, where the component list index is not properly validated before access. Attackers can exploit this by crafting an image with a malicious `-define connected-components:keep-top=N` argument, where `N` exceeds the actual number of components. When the connected components operation executes, the function dereferences an invalid pointer, causing the heap over-read. The issue is exacerbated because the component count is derived from image metadata, which an attacker can partially control through image dimensions and content. The vulnerability was published to the GitHub Advisory Database on May 16, 2026, and updated on May 18, 2026. No specific CVE ID has been assigned as of the available data.

DailyCVE Form:

  • Platform: ImageMagick
  • Version: < 7.1.2-?
  • Vulnerability: Heap buffer over-read
  • Severity: Moderate
  • Date: May 16, 2026
  • Prediction: Patch expected May 25, 2026

What Undercode Say: Analytics

The vulnerability allows remote attackers to trigger a denial of service (crash) or leak heap memory via a crafted image and a malformed `connected-components:keep-top` define. Given the widespread use of ImageMagick in web and media pipelines, this flaw poses a moderate risk. Attackers may chain it with other memory corruption bugs for information disclosure. The moderate CVSS score (likely 5.5) reflects the limited impact (DoS + potential leak) and requirement for user interaction.

Bash Commands and Codes

Trigger the vulnerability with a crafted image and invalid keep-top value
convert -define connected-components:keep-top=9999 exploit.png -connected-components 4 output.png
Detect the crash using AddressSanitizer (compiled with -fsanitize=address)
./magick -define connected-components:keep-top=9999 exploit.png -connected-components 4 output.png
Example ASan output:
==12345==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000ffff
READ of size 4 at 0x60400000ffff thread T0
0 in ConnectedComponentsImage in MagickCore/vision.c:...

Exploit

An attacker crafts an image with a small number of connected components (e.g., a 2×2 white square) and supplies -define connected-components:keep-top=9999. When `ConnectedComponentsImage()` attempts to access the 9999th component, it reads out of bounds, causing a crash. With careful heap grooming, the attacker may leak memory content from adjacent allocations.

Protection from this CVE

  • Upgrade to the latest ImageMagick version (once patch is released).
  • Validate `connected-components:keep-top` values against the actual component count before passing to ImageMagick.
  • Use `-policy` to restrict defines (e.g., -policy domain=resource name=define value=none).
  • Run ImageMagick in a sandbox (e.g., firejail, Docker) to limit impact.

Impact

  • Denial of Service: The crash halts image processing, affecting availability.
  • Information Disclosure: Heap memory contents may leak, exposing sensitive data.
  • No Remote Code Execution: The over-read is read-only, so code execution is not directly possible.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top