Back to list

ImageMagick: Out-of-Bounds Read in connected components when the user supplies an invalid keep-top define — CVE-2026-45359

GitHub · GitHub · CVE-2026-45359

ID
CVE-2026-45359
Date
Activity
Source
GitHub
Vendor
GitHub
Threat
medium
CVSS
5.7

Summary

An invalid `connected-components:keep-top` value could result in a heap buffer over-read when performing the connected components operation.

Product

nuget: Magick.NET-Q16-AnyCPU | nuget: Magick.NET-Q16-HDRI-AnyCPU | nuget: Magick.NET-Q16-HDRI-OpenMP-arm64 | nuget: Magick.NET-Q16-HDRI-OpenMP-x64 | nuget: Magick.NET-Q16-HDRI-arm64 | nuget: Magick.NET-Q16-HDRI-x64 | nuget: Magick.NET-Q16-HDRI-x86 | nuget: Magick.NET-Q16-OpenMP-arm64 | +10

What to do

General, cautious steps (verify details in the official source):

  • Review exposure and plan remediation based on risk and environment.
  • Identify affected product versions in your inventory and verify whether you are impacted.
  • Apply vendor patches/updates or recommended mitigations as soon as available.
  • Read the official advisory for exact affected versions and remediation steps.

Official advisory

Related advisories

GitHub GitHub 2026-W21