Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16, BilateralBlurImage contains a heap buffer over-read caused by an incorrect conversion. When processing a crafted image with the -bilateral-blur operation an out of bounds read can occur. This vulnerability is fixed in 7.1.2-16.
Published: 2026-03-09
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Buffer Over-Read leading to potential information disclosure
Action: Patch immediately
AI Analysis

Impact

ImageMagick's BilateralBlurImage function performs an incorrect conversion that can lead to a heap buffer over-read when processing a crafted image with the -bilateral-blur option. The over-read allows an attacker to read memory beyond the intended buffer boundaries, potentially exposing internal data and enabling information disclosure. The weakness is identified as a buffer over-read (CWE‑125) and an integer overflow risk (CWE‑190).

Affected Systems

Affected versions are all releases of ImageMagick prior to 7.1.2‑16, including the ImageMagick suite as identified by the CPE entry for imagemagick:imagemagick. No affected products beyond this are listed. The fix is available from version 7.1.2‑16 onward.

Risk and Exploitability

The CVSS score of 4.4 indicates a moderate severity. The EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a specially crafted image that triggers the -bilateral-blur operation; such input could arise in environments where images are processed automatically, such as web applications or image services. The lack of a high exploitability score and no public exploitation evidence lowers the immediate risk, but the potential for information disclosure warrants prompt remediation.

Generated by OpenCVE AI on April 16, 2026 at 10:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑16 or later, which contains the fix for the BilateralBlurImage buffer over-read.
  • If an upgrade is not immediately possible, restrict or disable the -bilateral-blur operation in ImageMagick's policy configuration or avoid processing untrusted images with that option.
  • Validate all incoming images against expected formats and sizes before invoking BilateralBlurImage to reduce the chance of triggering malformed input.

Generated by OpenCVE AI on April 16, 2026 at 10:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6169-1 imagemagick security update
Github GHSA Github GHSA GHSA-cqw9-w2m7-r2m2 ImageMagick has Heap Buffer Over-Read in BilateralBlurImage
History

Wed, 11 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 10 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Mon, 09 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16, BilateralBlurImage contains a heap buffer over-read caused by an incorrect conversion. When processing a crafted image with the -bilateral-blur operation an out of bounds read can occur. This vulnerability is fixed in 7.1.2-16.
Title ImageMagick has a heap Buffer Over-Read in BilateralBlurImage
Weaknesses CWE-125
CWE-190
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:50:58.727Z

Reserved: 2026-03-07T16:40:05.885Z

Link: CVE-2026-30935

cve-icon Vulnrichment

Updated: 2026-03-10T14:50:53.929Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T07:44:57.483

Modified: 2026-03-11T17:45:20.950

Link: CVE-2026-30935

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-09T21:48:47Z

Links: CVE-2026-30935 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses