Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-17 and 6.9.13-42, the NewXMLTree method contains a bug that could result in a crash due to an out of write bounds of a single zero byte. Versions 7.1.2-17 and 6.9.13-42 fix the issue.
Published: 2026-03-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via application crash
Action: Patch
AI Analysis

Impact

ImageMagick contains a heap-buffer-overflow in the NewXMLTree method that can cause a crash due to an out‑of‑bounds write of a single zero byte. The vulnerability is a classic buffer overflow (CWE‑787) and its immediate impact is a denial of service when the affected software processes a crafted file.

Affected Systems

The issue exists in the ImageMagick image processing library for all versions prior to 7.1.2‑17 and 6.9.13‑42. These releases are the minimum patches that fix the bug. No other image creation or rendering components are listed as affected.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate severity. The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation. However, the attack vector is not explicitly detailed; it is inferred that the flaw could be triggered by remote or local ingestion of a specially crafted image. Even with a low exploitation probability, the impact of a crash on critical services warrants prompt remediation.

Generated by OpenCVE AI on March 19, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply ImageMagick 7.1.2‑17 or later to remediate the vulnerability
  • Apply ImageMagick 6.9.13‑42 or later if using the older major line
  • Restart all services that depend on ImageMagick to load the updated library
  • Verify that no older versions of ImageMagick are present on the system
  • Monitor application logs for repeated crashes or abnormal behavior

Generated by OpenCVE AI on March 19, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4539-1 imagemagick security update
Debian DSA Debian DSA DSA-6210-1 imagemagick security update
Debian DSA Debian DSA DSA-6240-1 imagemagick security update
Github GHSA Github GHSA GHSA-gc62-2v5p-qpmp ImageMagick has a heap-buffer-overflow in NewXMLTree which could result in crash
History

Thu, 19 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 18 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-17 and 6.9.13-42, the NewXMLTree method contains a bug that could result in a crash due to an out of write bounds of a single zero byte. Versions 7.1.2-17 and 6.9.13-42 fix the issue.
Title ImageMagick has a heap-buffer-overflow in NewXMLTree which could result in crash
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T14:55:13.916Z

Reserved: 2026-03-12T15:29:36.559Z

Link: CVE-2026-32636

cve-icon Vulnrichment

Updated: 2026-03-19T14:55:08.528Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T21:16:26.583

Modified: 2026-03-19T18:42:15.900

Link: CVE-2026-32636

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-18T20:39:44Z

Links: CVE-2026-32636 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:14Z

Weaknesses