CVE-2026-56370: 
C# 脆弱性の分析と軽減

CVE-2026-56370 is an out-of-bounds access vulnerability in ImageMagick's ConnectedComponentsImage() function, triggered when processing connected-components artifacts with invalid indices via the CLI. It affects ImageMagick versions before 7.1.2-19 (7.x branch) and before 6.9.13-44 (6.x branch). The vulnerability was published on June 24, 2026, with the GitHub Security Advisory (GHSA-pmpg-6pww-fg6q) originally published April 13, 2026. It carries a CVSS v3.1 base score of 3.3 (Low) and a CVSS v4.0 base score of 4.8 (Medium) (GitHub Advisory, Feedly).

The root cause is improper bounds checking in the ConnectedComponentsImage() function when handling user-supplied connected-components:* define values (CWE-125: Out-of-bounds Read; CWE-787: Out-of-bounds Write). When a connected-components:* define specifies an invalid index, the function performs an out-of-bounds memory access, resulting in an access violation. Exploitation requires a local attacker to supply a malformed connected-components definition via the ImageMagick CLI (e.g., using -define connected-components:<invalid-index>=...), and user interaction is required in the sense that a user must process the malicious input. The vulnerability was reported by researcher ylwango613 (GitHub Advisory).

Successful exploitation can cause a denial of service via an access violation/crash of the ImageMagick process, with a low availability impact and no confidentiality or integrity impact under the assessed CVSS scoring. The description notes potential for code execution in more severe scenarios, though this has not been confirmed. The scope is limited to the local system and the affected ImageMagick process, with no lateral movement potential identified (GitHub Advisory, Feedly).

1. Prepare malicious input: Craft an ImageMagick CLI command that uses the -define flag to specify a connected-components:* artifact with an invalid (out-of-bounds) index value, such as magick input.png -define connected-components:99999999=<value> -connected-components 4 output.png.
2. Deliver to target: Convince a user or automated pipeline running a vulnerable ImageMagick version (< 7.1.2-19 or < 6.9.13-44) to process the crafted command or a file that triggers this code path.
3. Trigger out-of-bounds access: When ConnectedComponentsImage() processes the invalid index, it performs an out-of-bounds memory read or write, causing an access violation.
4. Achieve denial of service (or potentially code execution): The process crashes due to the access violation, resulting in denial of service; in edge cases, memory corruption could theoretically be leveraged for code execution (GitHub Advisory).

• Process: Unexpected crashes or segmentation faults in the magick or convert process, particularly when processing images with connected-components operations.
• Logs: Application or system logs showing access violation errors or segfaults originating from ConnectedComponentsImage() in ImageMagick.
• File System: Presence of core dump files generated by a crashed ImageMagick process in working directories.
• Command Line: Audit logs showing ImageMagick CLI invocations with -define connected-components:* flags containing unusual or large index values (GitHub Advisory).

Upgrade ImageMagick to version 7.1.2-19 or later (7.x branch) or 6.9.13-44 or later (6.x branch), which contain the fix for this vulnerability. No configuration-based workarounds have been published; the primary remediation is patching. Organizations using ImageMagick in automated image processing pipelines should prioritize updating, particularly if they accept user-supplied CLI arguments or image files (GitHub Advisory).

The vulnerability received limited public attention given its Low/Medium severity rating. A Bluesky post from a CVE tracking account noted the disclosure shortly after publication. No significant vendor statements beyond the official GitHub Security Advisory or notable researcher commentary have been identified (Feedly).