Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a crafted image could cause an out of bounds heap write inside the WaveletDenoiseImage method. When processing a crafted image with the -wavelet-denoise operation an out of bounds write can occur. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Published: 2026-03-09
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap Buffer Overflow leading to out-of-bounds write
Action: Apply Patch
AI Analysis

Impact

A heap buffer overflow exists in the WaveletDenoiseImage function of ImageMagick that allows a crafted image to trigger an out‑of‑bounds write. If an application uses the -wavelet-denoise operation on a malicious image, memory corruption can occur, potentially resulting in application crash or, in the worst case, arbitrary code execution. The flaw exists in all releases before 7.1.2‑16 and 6.9.13‑41.

Affected Systems

ImageMagick versions prior to 7.1.2‑16 and 6.9.13‑41. The software is widely deployed for image processing on servers, desktops, and embedded systems.

Risk and Exploitability

The assessed CVSS score of 5.5 indicates moderate severity, suggesting that while exploitation may not be trivial, the presence of a heap overflow can be damaging. The EPSS score of less than 1 % indicates a low likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers likely require that a compromised or untrusted image be processed by an ImageMagick‑based application, implying a local or remote file‑based vector depending on how the image is supplied. No public exploit code is available according to the provided references.

Generated by OpenCVE AI on April 16, 2026 at 10:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑16 or higher or 6.9.13‑41 or higher, which contains the fix for the WaveletDenoiseImage heap overflow.
  • Restrict the use of the "-wavelet-denoise" operation to trusted images only; if possible, disable the operation or move image processing to a sandboxed environment to prevent untrusted images from triggering the overflow.
  • Monitor image‑processing applications for abnormal crashes or memory errors, and apply additional runtime protections such as AddressSanitizer or SELinux hardening if available.

Generated by OpenCVE AI on April 16, 2026 at 10:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4539-1 imagemagick security update
Debian DSA Debian DSA DSA-6169-1 imagemagick security update
Debian DSA Debian DSA DSA-6210-1 imagemagick security update
Github GHSA Github GHSA GHSA-5ggv-92r5-cp4p ImageMagick has Heap Buffer Overflow in WaveletDenoiseImage
History

Wed, 11 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 10 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Mon, 09 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a crafted image could cause an out of bounds heap write inside the WaveletDenoiseImage method. When processing a crafted image with the -wavelet-denoise operation an out of bounds write can occur. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Title ImageMagick has a heap Buffer Overflow in WaveletDenoiseImage
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:48:27.131Z

Reserved: 2026-03-07T16:40:05.885Z

Link: CVE-2026-30936

cve-icon Vulnrichment

Updated: 2026-03-10T14:48:18.670Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T07:44:57.663

Modified: 2026-03-11T17:48:46.670

Link: CVE-2026-30936

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-09T21:49:36Z

Links: CVE-2026-30936 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses