Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16, an integer overflow vulnerability exists in the SIXEL decoer. The vulnerability allows an attacker to perform an out of bounds via a specially crafted image. This vulnerability is fixed in 7.1.2-16.
Published: 2026-03-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds write via integer overflow
Action: Immediate Patch
AI Analysis

Impact

ImageMagick, a widely-used image processing library, contains an integer overflow in its SIXEL decoder. The overflow can lead to an out-of-bounds write when a specially crafted image is parsed, potentially corrupting memory and causing crashes or enabling an attacker to execute arbitrary code. This vulnerability otherwise remains a local flaw that can be triggered by any entity able to influence image decoding, such as a user, a network service, or a malicious third‑party resource.

Affected Systems

The flaw affects the ImageMagick software family, specifically all releases prior to version 7.1.2‑16. Systems running any earlier 7.x series or previous major releases are vulnerable if they compile or ship the legacy decoder component and accept external image input.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate severity, and the EPSS of less than 1% signals a very low but non‑zero likelihood of exploitation. ImageMagick is not listed in the CISA KEV catalog, suggesting no publicly known active exploitation at the time of analysis. The attack vector is inferred to be a malformed image received or processed locally or by a service that uses ImageMagick, which can trigger the out‑of‑bounds write without requiring elevated privileges.

Generated by OpenCVE AI on April 17, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑16 or later.
  • If an upgrade cannot be performed immediately, restrict or filter image inputs so that only trusted sources are processed, or disable SIXEL decoding for untrusted images.
  • Disable the SIXEL decoder entirely if it is not needed for your application, or run ImageMagick processes in a restricted environment to limit the impact of a potential exploit.

Generated by OpenCVE AI on April 17, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6169-1 imagemagick security update
Github GHSA Github GHSA GHSA-r39q-jr8h-gcq2 ImageMagick has Integer Overflow leading to out of bounds write in SIXEL decoder
History

Thu, 12 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Mon, 09 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16, an integer overflow vulnerability exists in the SIXEL decoer. The vulnerability allows an attacker to perform an out of bounds via a specially crafted image. This vulnerability is fixed in 7.1.2-16.
Title ImageMagick has a Integer Overflow leading to out of bounds write in SIXEL decoder
Weaknesses CWE-190
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T17:17:04.148Z

Reserved: 2026-02-27T20:57:47.708Z

Link: CVE-2026-28493

cve-icon Vulnrichment

Updated: 2026-03-10T17:16:59.765Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T07:43:39.867

Modified: 2026-03-12T15:19:11.260

Link: CVE-2026-28493

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-09T21:29:39Z

Links: CVE-2026-28493 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:00:11Z

Weaknesses