Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-16 and 6.9.13-41, when a memory allocation fails in the sixel encoder it would be possible to write past the end of a buffer on the stack. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Published: 2026-03-12
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stack Buffer Overflow
Action: Patch Immediately
AI Analysis

Impact

ImageMagick has a possible stack buffer overflow in its sixel encoder. When a memory allocation fails during sixel encoding, the program can write beyond the end of a stack buffer, potentially corrupting memory. This flaw is a classic stack buffer overflow (CWE-121) that could lead to exploitation such as arbitrary code execution or program termination, depending on the attacker's control over the input.

Affected Systems

Affected product is ImageMagick. Versions before 7.1.2-16 and before 6.9.13-41 are vulnerable. The vulnerability is fixed in ImageMagick 7.1.2-16 and 6.9.13-41.

Risk and Exploitability

The CVSS severity is 6.7 (Medium). EPSS indicates a very low likelihood of exploitation (<1%). It is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector involves processing a malicious sixel-encoded image; therefore, local or remote attacker with ability to submit such data to the vulnerable ImageMagick instance could exploit the flaw.

Generated by OpenCVE AI on March 18, 2026 at 15:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ImageMagick to version 7.1.2-16 or newer, or 6.9.13-41 or a later release.
  • Verify that the upgrade has been applied correctly by checking the installed version.
  • If an update cannot be performed immediately, avoid processing sixel encoded images until the fix is applied.
  • Monitor vendor advisories for any additional patches or recommendations.

Generated by OpenCVE AI on March 18, 2026 at 15:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6169-1 imagemagick security update
History

Wed, 18 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Sat, 14 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Thu, 12 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-16 and 6.9.13-41, when a memory allocation fails in the sixel encoder it would be possible to write past the end of a buffer on the stack. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Title ImageMagick has a possible stack buffer overflow in sixel encoder
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T16:14:03.956Z

Reserved: 2026-03-11T15:05:48.397Z

Link: CVE-2026-32259

cve-icon Vulnrichment

Updated: 2026-03-13T16:13:59.926Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T20:16:05.863

Modified: 2026-03-18T14:29:45.200

Link: CVE-2026-32259

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-12T19:38:12Z

Links: CVE-2026-32259 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:54:51Z

Weaknesses