Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an extremely large image profile could result in a heap overflow when encoding a PNG image. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Published: 2026-03-09
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption due to Heap Overflow
Action: Apply Patch
AI Analysis

Impact

ImageMagick suffers a buffer overflow in the PNG encoder when an image contains an extremely large profile. The overflow corrupts heap memory, creating an opportunity for memory corruption if an attacker can supply the crafted image. The weakness is classified as a buffer overflow (CWE‑120) and buffer over-read (CWE‑119). Based on the description, it is inferred that the attack vector would rely on an attacker supplying a crafted image to the vulnerable PNG encoder.

Affected Systems

Vulnerable builds of ImageMagick are any versions earlier than 7.1.2-16 for the 7.x series and earlier than 6.9.13-41 for the 6.x series. Any deployment that decodes or encodes PNG files with these versions is at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 5.7, indicating moderate severity, and an EPSS of less than 1%, showing a very low probability of exploitation at this time. It is not currently listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker must deliver a PNG image containing an oversized profile to the vulnerable software. Successful exploitation could lead to memory corruption that may affect the stability or confidentiality of the host where the image is processed.

Generated by OpenCVE AI on April 18, 2026 at 09:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to at least 7.1.2-16 or 6.9.13-41, or a later release that contains the fix.
  • On systems that cannot be updated immediately, configure the image processing pipeline to reject PNG files with profiles exceeding a reasonable size threshold, or use the --limit option to bound allocation sizes.
  • If possible, isolate image decoding and encoding tasks in a sandboxed or restricted environment to contain any memory corruption.

Generated by OpenCVE AI on April 18, 2026 at 09:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4539-1 imagemagick security update
Debian DSA Debian DSA DSA-6169-1 imagemagick security update
Debian DSA Debian DSA DSA-6210-1 imagemagick security update
Github GHSA Github GHSA GHSA-qmw5-2p58-xvrc ImageMagick is vulnerable to Heap Overflow when writing extremely large image profile in the PNG encoder
History

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Mon, 09 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an extremely large image profile could result in a heap overflow when encoding a PNG image. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Title ImageMagick has a Heap Overflow when writing extremely large image profile in the PNG encoder
Weaknesses CWE-119
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:54:05.736Z

Reserved: 2026-03-06T00:04:56.699Z

Link: CVE-2026-30883

cve-icon Vulnrichment

Updated: 2026-03-10T14:54:01.439Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T07:44:56.543

Modified: 2026-03-13T17:10:28.247

Link: CVE-2026-30883

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-09T21:45:55Z

Links: CVE-2026-30883 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:45:25Z

Weaknesses