CVE-2026-56370
Received Received - Intake
ImageMagick Out-of-Bounds Access in ConnectedComponentsImage

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: VulnCheck

Description
ImageMagick before 7.1.2-19 contains an out-of-bounds access vulnerability in ConnectedComponentsImage() when processing connected-components artifacts with invalid indices. Attackers can trigger access violations by specifying malformed connected-components definitions via CLI, causing denial of service or potential code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-56370
EUVD
EUVD-2026-38756
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick to 7.1.2-19 (exc)
imagemagick imagemagick to 6.9.13-44 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56370 is an out-of-bounds access vulnerability in ImageMagick versions before 7.1.2-19 and 6.9.13-44. It occurs in the ConnectedComponentsImage() function when processing connected-components artifacts that contain invalid indices.

Attackers can exploit this vulnerability by providing malformed connected-components definitions via the command line interface, which causes the program to access memory outside its intended bounds.

This can lead to access violations, resulting in denial of service or potentially arbitrary code execution.

Impact Analysis

This vulnerability primarily impacts the availability of the affected system by causing denial of service through access violations.

In some cases, it may also allow an attacker to execute arbitrary code, which could lead to further compromise of the system.

The attack requires local access, has low complexity, and does not require privileges or user interaction beyond initial setup.

Detection Guidance

This vulnerability involves an out-of-bounds access in the ConnectedComponentsImage() function when processing connected-components artifacts with invalid indices via the command line interface.

Detection can involve checking the version of ImageMagick installed on your system to see if it is prior to 7.1.2-19 or 6.9.13-44, which are the patched versions.

You can run the following command to check the installed ImageMagick version:

  • magick -version

Additionally, monitoring for any unusual crashes or denial of service events related to ImageMagick when processing connected-components artifacts via CLI could indicate exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade ImageMagick to version 7.1.2-19 or later, or 6.9.13-44 or later, where this vulnerability has been patched.

Until the upgrade is applied, avoid processing connected-components artifacts with untrusted or malformed input via the command line interface to prevent triggering the vulnerability.

Restrict local access to systems running vulnerable versions of ImageMagick to trusted users only, as the attack requires local access.

Compliance Impact

The vulnerability primarily impacts availability by causing denial of service or potential code execution through out-of-bounds access. There are no direct effects on confidentiality or integrity.

Since the vulnerability does not directly compromise data confidentiality or integrity, its impact on compliance with standards like GDPR or HIPAAβ€”which focus heavily on protecting personal data confidentiality and integrityβ€”is likely limited.

However, denial of service or potential code execution could indirectly affect compliance if it disrupts availability of systems handling regulated data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56370. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart