Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.3
ImageMagick CLI Tool Allows Data Exposure
GHSA-pmpg-6pww-fg6q
Summary
Using ImageMagick's command line tool with an invalid index can cause the program to crash or potentially leak sensitive data. This issue affects users who rely on ImageMagick for image processing. To mitigate, ensure that any custom 'connected-components:*' definitions are properly configured and validated.
What to do
- Update magick.net-q16-anycpu to version 14.20.0.
- Update magick.net-q16-hdri-anycpu to version 14.20.0.
- Update magick.net-q16-hdri-openmp-arm64 to version 14.20.0.
- Update magick.net-q16-hdri-arm64 to version 14.20.0.
- Update magick.net-q16-hdri-x64 to version 14.20.0.
- Update magick.net-q16-hdri-x86 to version 14.20.0.
- Update magick.net-q16-openmp-arm64 to version 14.20.0.
- Update magick.net-q16-openmp-x64 to version 14.20.0.
- Update magick.net-q16-arm64 to version 14.20.0.
- Update magick.net-q16-x64 to version 14.20.0.
- Update magick.net-q16-x86 to version 14.20.0.
- Update magick.net-q16-hdri-openmp-x64 to version 14.20.0.
- Update magick.net-q8-anycpu to version 14.20.0.
- Update magick.net-q8-openmp-arm64 to version 14.20.0.
- Update magick.net-q8-openmp-x64 to version 14.20.0.
- Update magick.net-q8-arm64 to version 14.20.0.
- Update magick.net-q8-x64 to version 14.20.0.
- Update magick.net-q8-x86 to version 14.20.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| nuget | – | magick.net-q16-anycpu |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-hdri-anycpu |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-hdri-openmp-arm64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-hdri-arm64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-hdri-x64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-hdri-x86 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-openmp-arm64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-openmp-x64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-arm64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-x64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-x86 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-hdri-openmp-x64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q8-anycpu |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q8-openmp-arm64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q8-openmp-x64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q8-arm64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q8-x64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q8-x86 |
< 14.20.0 Fix: upgrade to 14.20.0
|
Original title
ImageMagick has out-of-bounds access in ConnectedComponentsImage() via CLI-controlled connected-components:* artifacts
Original description
When the `connected-components:*` define specifies an invalid index and out of bound operation will result in an access violation.
ghsa CVSS3.1
3.3
Vulnerability type
CWE-125
Out-of-bounds Read
CWE-787
Out-of-bounds Write
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 15 Apr 2026