CVE-2026-56370 | ImageMagick before 7.1.2-19 contains an out-of-bounds access… | CVSS 3.3 LOW

Description

ImageMagick before 7.1.2-19 contains an out-of-bounds access vulnerability in ConnectedComponentsImage() when processing connected-components artifacts with invalid indices. Attackers can trigger access violations by specifying malformed connected-components definitions via CLI, causing denial of service or potential code execution.

Metadata

CVE ID: CVE-2026-56370
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-21 02:05 UTC
Published: 2026-06-24 11:53 UTC
Last updated: 2026-06-24 11:53 UTC
Primary CWE: CWE-125
Out-of-bounds Read
Vendor / Product: ImageMagick / ImageMagick
Sources: cve.org · NVD

Severity & Metrics

3.3 LOW CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Affected products (2)

Vendor	Product	Platform	Versions
ImageMagick	ImageMagick	—	0 < 7.1.2-19, 7.1.2-19
ImageMagick	ImageMagick	—	0 < 6.9.13-44, 6.9.13-44

Weakness (CWE)

CWE	Source	Description
CWE-125	cna	Out-of-bounds Read

CVSS scores (2)

Score	Severity	Version	Source	Vector
4.8	MEDIUM	4.0	cna	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3.3	LOW	3.1	cna	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

References (2)

GitHub Security Advisory (GHSA-pmpg-6pww-fg6q) https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pmpg-6pww-fg6q
VulnCheck Advisory: ImageMagick - Out-of-bounds Access in ConnectedComponentsImage via connected-components Artifact https://www.vulncheck.com/advisories/imagemagick-out-of-bounds-access-in-connectedcomponentsimage-via-connected-components-artifact