Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-21 and 6.9.13-46, a malicious MIFF file could trigger an overflow when a user opens it in the display tool and right-clicks a tile to invoke the Load / Update menu item. This vulnerability is fixed in 7.1.2-21 and 6.9.13-46.
Published: 2026-05-11
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack buffer overflow in the XTileImage component of ImageMagick can be triggered by opening a specially crafted MIFF file in the display tool and then right‑clicking a tile to invoke the Load / Update menu. The overflow leads to a crash of the application. The vulnerability is scored at 5.5 on the CVSS scale, indicating a moderate impact.

Affected Systems

ImageMagick versions older than 7.1.2‑21 and 6.9.13‑46 are vulnerable. This includes all releases of the 7.x series before 7.1.2‑21 and all releases of the 6.x series before 6.9.13‑46. Users of the free and open‑source ImageMagick product who run the display utility are potentially affected.

Risk and Exploitability

The CVSS score of 5.5 reflects the local nature of this flaw: an attacker must deliver a malicious MIFF file and have the victim open it in the display tool, then perform a specific user action. No remote exploitation vector is documented and the EPSS score is not available, suggesting limited exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Immediate patching mitigates the risk entirely.

Generated by OpenCVE AI on May 11, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑21 or newer, or 6.9.13‑46 or newer, to remove the overflow.
  • Avoid opening unknown MIFF files with the ImageMagick display tool to eliminate the trigger.
  • If possible, disable or restrict the Load / Update menu in the XTileImage feature to prevent the vulnerable action from being available to untrusted users.

Generated by OpenCVE AI on May 11, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Mon, 11 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-21 and 6.9.13-46, a malicious MIFF file could trigger an overflow when a user opens it in the display tool and right-clicks a tile to invoke the Load / Update menu item. This vulnerability is fixed in 7.1.2-21 and 6.9.13-46.
Title ImageMagick: Stack buffer overflow in XTileImage
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:30:47.683Z

Reserved: 2026-04-23T16:05:01.710Z

Link: CVE-2026-42050

cve-icon Vulnrichment

Updated: 2026-05-12T13:30:42.666Z

cve-icon NVD

Status : Received

Published: 2026-05-11T20:25:42.280

Modified: 2026-05-11T20:25:42.280

Link: CVE-2026-42050

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:15:09Z

Weaknesses