ImageMagick: Heap Buffer Over-Read of a 4 bytes in distort operation.

Vulnerability

Overview

CVE-2026-45624 describes a heap buffer over-read vulnerability in ImageMagick's polynomial distortion operation. When specific arguments are supplied, the software reads 24 bytes beyond the allocated buffer boundary, leading to an out-of-bounds read [1][2]. This flaw resides in the core image processing library and affects multiple distributions, including the Magick.NET bindings.

Exploitation

Conditions

An attacker can exploit this vulnerability by crafting a malicious image file that triggers the polynomial distortion with specially chosen parameters. The attack vector is network-based, requires no privileges, and has low complexity, but it does require user interaction—such as opening the crafted image in an application that uses ImageMagick [2]. No authentication is needed, making it accessible to remote attackers.

Impact

The over-read can expose up to 24 bytes of adjacent heap memory, potentially leaking sensitive information such as cryptographic keys, user data, or other confidential content. The CVSS v3.1 score reflects a high confidentiality impact, while integrity and availability remain unaffected [2]. This information disclosure could serve as a stepping stone for further attacks.

Mitigation

ImageMagick has addressed this issue in versions 14.13.1 and later of the Magick.NET packages, and the underlying C library fix is included in the corresponding ImageMagick release [1]. Users are strongly advised to update to the latest patched version. No workarounds are documented, so upgrading is the recommended course of action.