Description
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, an integer overflow in the despeckle operation causes a heap buffer overflow on 32-bit builds that will result in an out of bounds write. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Published: 2026-04-13
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Patch
AI Analysis

Impact

The vulnerability is an integer overflow that occurs during the despeckle operation in ImageMagick on 32‑bit builds. The overflow corrupts the heap by writing beyond an allocated buffer. This out‑of‑bounds write can compromise the integrity of the process's memory and, if an attacker can trigger it, may allow arbitrary code execution or data tampering.

Affected Systems

The flaw affects ImageMagick releases prior to 7.1.2‑19 and 6.9.13‑44 when built for 32‑bit architectures. All 64‑bit builds and later releases are immune. Software that embeds the vulnerable binary, such as the .NET wrapper Magick.NET before version 14.12.0, is also impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. The likely means of exploitation is by supplying a crafted image to a vulnerable service that performs despeckle on a 32‑bit build; this inference is made from the description of the overflow during image processing and not from an explicit exploitation statement.

Generated by OpenCVE AI on April 13, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to ImageMagick 7.1.2‑19 or newer, or 6.9.13‑44 or newer.
  • Use 64‑bit builds of ImageMagick, which are unaffected.
  • Install Magick.NET 14.12.0 or newer, which includes the corrected binary.
  • If an upgrade or architecture change is not possible, isolate image processing from untrusted input and run it in a restricted environment.

Generated by OpenCVE AI on April 13, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-26qp-ffjh-2x4v ImageMagick has an integer overflow in despeckle operation causing a heap buffer overflow on 32-bit builds
History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 13 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, an integer overflow in the despeckle operation causes a heap buffer overflow on 32-bit builds that will result in an out of bounds write. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Title ImageMagick: Integer overflow in despeckle operation causes heap buffer overflow on 32-bit builds
Weaknesses CWE-190
CWE-787
References
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T13:46:39.542Z

Reserved: 2026-03-26T16:22:29.034Z

Link: CVE-2026-34238

cve-icon Vulnrichment

Updated: 2026-04-14T13:46:33.629Z

cve-icon NVD

Status : Received

Published: 2026-04-13T22:16:29.310

Modified: 2026-04-13T22:16:29.310

Link: CVE-2026-34238

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T21:14:07Z

Links: CVE-2026-34238 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:09Z

Weaknesses