Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an uninitialized pointer dereference vulnerability exists in the JBIG decoder due to a missing check. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Published: 2026-03-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of service
Action: Patch
AI Analysis

Impact

ImageMagick’s JBIG decoder fails to verify that a pointer is initialized, causing the software to read from memory that has not yet been set. The flaw falls under CWE-252 and CWE-824 categories. When an attacker supplies a crafted image, the resulting memory corruption can cause the process to crash, providing a denial‑of‑service vector.

Affected Systems

The vulnerability impacts all releases of ImageMagick earlier than 7.1.2-16 and 6.9.13-41. Upgrading to 7.1.2-16 or later, or to 6.9.13-41 or later, removes the issue.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. Exploitation probability is reported to be below 1 percent and the flaw is not listed in the CISA KEV catalogue. The most likely attack vector is the processing of malicious image files, such as via command‑line utilities or applications that expose ImageMagick to external users. Successful exploitation would cause a denial of service.

Generated by OpenCVE AI on April 18, 2026 at 09:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2-16 or later, or to 6.9.13-41 or later.
  • If an upgrade cannot be performed immediately, limit the JBIG decoder to images from trusted sources and validate inputs before processing.
  • Consider sandboxing or isolating any processes that invoke ImageMagick to contain potential memory corruption or denial of service.

Generated by OpenCVE AI on April 18, 2026 at 09:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4539-1 imagemagick security update
Debian DSA Debian DSA DSA-6169-1 imagemagick security update
Debian DSA Debian DSA DSA-6210-1 imagemagick security update
Github GHSA Github GHSA GHSA-wj8w-pjxf-9g4f ImageMagick has uninitialized pointer dereference in JBIG decoder
History

Wed, 11 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 10 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Mon, 09 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an uninitialized pointer dereference vulnerability exists in the JBIG decoder due to a missing check. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Title ImageMagick has an uninitialized pointer dereference in JBIG decoder
Weaknesses CWE-252
CWE-824
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T15:58:54.681Z

Reserved: 2026-03-02T21:43:19.927Z

Link: CVE-2026-28691

cve-icon Vulnrichment

Updated: 2026-03-10T15:58:52.055Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T07:43:44.280

Modified: 2026-03-11T17:40:00.793

Link: CVE-2026-28691

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-09T21:40:42Z

Links: CVE-2026-28691 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:45:25Z

Weaknesses