Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-16 and 6.9.13-41, an overflow on 32-bit systems can cause a crash in the SFW decoder when processing extremely large images. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Published: 2026-03-11
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

ImageMagick, widely used for image editing, contains a heap buffer overflow in its SFW decoder when parsing extremely large images on 32‑bit systems. The overflow can trigger a process crash, resulting in a denial of service. The weakness is identified as CWE‑122, an out‑of‑bounds write that corrupts heap memory.

Affected Systems

The issue affects all 32‑bit installations of ImageMagick versions released prior to 7.1.2‑16 on the 7.x branch and prior to 6.9.13‑41 on the 6.x branch. Any environment running those earlier builds is vulnerable, regardless of operating system.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity. EPSS reports an exploitation likelihood of less than 1%, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by providing a crafted, oversized image to any process that uses the SFW decoder, either remotely or locally depending on who can influence image input. The exploit path is straightforward: submit the large image, trigger the overflow, and cause a crash, leading to denial of service.

Generated by OpenCVE AI on March 17, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest ImageMagick patch, upgrading to version 7.1.2‑16 or 6.9.13‑41

Generated by OpenCVE AI on March 17, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6169-1 imagemagick security update
Github GHSA Github GHSA GHSA-56jp-jfqg-f8f4 ImageMagick is vulnerable to heap buffer over-write on 32-bit systems in SFW decoder
History

Tue, 17 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-16 and 6.9.13-41, an overflow on 32-bit systems can cause a crash in the SFW decoder when processing extremely large images. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Title ImageMagick has a heap buffer over-write on 32-bit systems in SFW decoder
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T17:42:31.029Z

Reserved: 2026-03-09T19:02:25.011Z

Link: CVE-2026-31853

cve-icon Vulnrichment

Updated: 2026-03-11T17:42:20.885Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T17:16:58.760

Modified: 2026-03-17T19:08:12.847

Link: CVE-2026-31853

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-11T17:09:46Z

Links: CVE-2026-31853 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:22Z

Weaknesses