Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an integer overflow in DIB coder can result in out of bounds read or write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Published: 2026-03-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption that can lead to application crash or potential exploitation.
Action: Apply patch
AI Analysis

Impact

ImageMagick contains an integer overflow in the DIB image coder that allows an attacker to craft a malformed DIB file, causing the program to read beyond allocated memory or write out of bounds. This memory corruption can lead to an application crash (denial of service) and, based on the nature of the flaw, may also create an opportunity for arbitrary code execution. The possibility of code execution is inferred from the type of buffer overflow described by the associated CWEs, but the CVE entry itself does not confirm a published exploit.

Affected Systems

The vulnerability affects all versions of ImageMagick prior to 7.1.2‑16 and 6.9.13‑41. Many installations on Linux, Windows and macOS systems may still be running these older releases and may process image files provided by external or untrusted sources.

Risk and Exploitability

The CVSS base score of 8.1 indicates high severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the ingestion of a specially crafted DIB image through any application or service that calls ImageMagick to decode images. This inference is based on the observation that the flaw is triggered by malformed image data.

Generated by OpenCVE AI on April 16, 2026 at 10:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑16 or 6.9.13‑41, which contains the fix for the integer overflow in the DIB coder.
  • If an upgrade is not immediately possible, restrict the processing of untrusted DIB images or disable DIB support entirely, and run ImageMagick in a sandboxed or least‑privilege environment to limit the impact of any memory corruption.
  • Enable monitoring of application crashes and anomalous memory usage patterns that could indicate exploitation of the vulnerable DIB coder.

Generated by OpenCVE AI on April 16, 2026 at 10:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4539-1 imagemagick security update
Debian DSA Debian DSA DSA-6169-1 imagemagick security update
Debian DSA Debian DSA DSA-6210-1 imagemagick security update
Github GHSA Github GHSA GHSA-hffp-q43q-qq76 ImageMagick: Integer overflow in DIB coder can result in out of bounds read or write
History

Wed, 11 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 10 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Mon, 09 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an integer overflow in DIB coder can result in out of bounds read or write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Title ImageMagick has an integer overflow in DIB coder can result in out of bounds read or write
Weaknesses CWE-125
CWE-190
CWE-787
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T03:56:28.087Z

Reserved: 2026-03-02T21:43:19.927Z

Link: CVE-2026-28693

cve-icon Vulnrichment

Updated: 2026-03-10T15:57:47.934Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T07:43:44.577

Modified: 2026-03-11T17:44:47.320

Link: CVE-2026-28693

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-09T21:42:28Z

Links: CVE-2026-28693 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses