Description
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Published: 2026-04-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Disclosure via Out-of-Bounds Read
Action: Patch
AI Analysis

Impact

ImageMagick is an open-source image manipulation library used widely. The vulnerability lies in the -sample command when a user sets the sample:offset define to a specific value. This configuration triggers an out-of-bounds read in the image parsing routine, allowing the read of data past the intended buffer limits. The read does not alter image data, but it can expose sensitive memory contents such as parts of the host process memory, which could lead to information disclosure or leakage of private data. The weakness is identified as CWE-125: Out-of-Bounds Read.

Affected Systems

Vulnerable versions include all releases of ImageMagick 6 before 6.9.13-44 and all releases of ImageMagick 7 before 7.1.2-19. The issue is fixed in ImageMagick 6.9.13-44 and 7.1.2-19. Systems that run these versions and process images with the -sample option, especially with a custom sample:offset define, are at risk.

Risk and Exploitability

The CVSS scoring indicates a medium risk with a base score of 5.5. The exploit requires a crafted image that uses the -sample option with a specific offset. Because the vulnerability is triggered only by an image processed by ImageMagick, the attack vector is likely local or opportunistic, depending on the context of image ingestion. No public exploits have been reported and the vulnerability is not yet listed in the CISA KEV database. Nevertheless, the potential for data leakage warrants prompt mitigation.

Generated by OpenCVE AI on April 13, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the ImageMagick patches to reach at least version 6.9.13-44 or 7.1.2-19.
  • If an upgrade cannot be performed immediately, do not use the -sample option with a custom sample:offset on images from untrusted sources.
  • Restrict or sanitize image inputs before passing them to ImageMagick to reduce risk.

Generated by OpenCVE AI on April 13, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pcvx-ph33-r5vv ImageMagick has an out-of-bounds read in sample operation
History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 13 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Title ImageMagick has an Out-of-Bounds read via -sample operation
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T21:02:58.121Z

Reserved: 2026-03-24T15:41:47.491Z

Link: CVE-2026-33905

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-13T22:16:28.837

Modified: 2026-04-13T22:16:28.837

Link: CVE-2026-33905

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T21:02:58Z

Links: CVE-2026-33905 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:11Z

Weaknesses