Description
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, a crafted image could result in an out of bounds heap write when writing a yaml or json output, resulting in a crash. This issue has been fixed in version 7.1.2-19.
Published: 2026-04-13
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

ImageMagick versions prior to 7.1.2-19 contain a heap overflow that is triggered when the YAML or JSON encoder processes a specially crafted image, causing an out‑of‑bounds heap write and leading to a crash of the running process. This manifests as a denial of service for any service or application relying on those encoders.

Affected Systems

The vulnerability affects the ImageMagick software distributed by ImageMagick:ImageMagick. All releases older than 7.1.2-19 are vulnerable; the issue was fixed in version 7.1.2-19 and later. Administrators should verify the exact version installed on their systems.

Risk and Exploitability

The base score of 6.2 indicates moderate severity. No additional exploitation probability data is available, and it is not listed in the known exploited vulnerabilities catalog. The likely attack vector is the feeding of a malicious image to an application that invokes the YAML or JSON output feature, which is inferred from the description. Successful exploitation requires the attacker to have control over an image that will be processed by the encoder; it does not provide privilege escalation or data exfiltration beyond service disruption.

Generated by OpenCVE AI on April 13, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to 7.1.2-19 or newer.
  • Verify the installed version on all affected systems.
  • Ensure that no older ImageMagick libraries remain in the environment.
  • If an upgrade cannot be performed immediately, restrict the use of the YAML and JSON encoders to trusted images only.

Generated by OpenCVE AI on April 13, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5592-p365-24xh ImageMagick has a heap buffer overflow (WRITE) in the YAML and JSON encoders.
History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 13 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, a crafted image could result in an out of bounds heap write when writing a yaml or json output, resulting in a crash. This issue has been fixed in version 7.1.2-19.
Title ImageMagick: Heap buffer overflow (WRITE) in the YAML and JSON encoders
Weaknesses CWE-122
CWE-787
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T15:52:31.799Z

Reserved: 2026-04-09T19:31:56.015Z

Link: CVE-2026-40169

cve-icon Vulnrichment

Updated: 2026-04-14T15:52:27.968Z

cve-icon NVD

Status : Received

Published: 2026-04-13T22:16:29.477

Modified: 2026-04-13T22:16:29.477

Link: CVE-2026-40169

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T21:25:56Z

Links: CVE-2026-40169 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:06Z

Weaknesses