Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-21 and 6.9.13-46, a malicious MIFF file could trigger an overflow when a user opens it in the display tool and right-clicks a tile to invoke the Load / Update menu item. This vulnerability is fixed in 7.1.2-21 and 6.9.13-46.
Published: 2026-05-11
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack buffer overflow in the XTileImage component of ImageMagick can be triggered by opening a specially crafted MIFF file in the display tool and then right‑clicking a tile to invoke the Load / Update menu. The flaw is a stack buffer overflow (CWE‑121) that also involves uninitialized memory usage (CWE‑131). The overflow leads to a crash of the application. The vulnerability is scored at 5.5 on the CVSS scale, indicating a moderate impact.

Affected Systems

ImageMagick versions older than 7.1.2‑21 and 6.9.13‑46 are vulnerable. This includes all releases of the 7.x series before 7.1.2‑21 and all releases of the 6.x series before 6.9.13‑46. Users of the free and open‑source ImageMagick product who run the display utility are potentially affected.

Risk and Exploitability

The CVSS score of 5.5 reflects the local nature of this flaw: an attacker must deliver a malicious MIFF file and have the victim open it in the display tool, then perform a specific user action. No remote exploitation vector is documented, and the EPSS score, recorded as 0.00014 (<1%), indicates a very low exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Immediate patching mitigates the risk entirely.

Generated by OpenCVE AI on May 19, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑21 or newer, or 6.9.13‑46 or newer, to remove the overflow.
  • Avoid opening unknown MIFF files with the ImageMagick display tool to eliminate the trigger.
  • If possible, disable or restrict the Load / Update menu in the XTileImage feature to prevent the vulnerable action from being available to untrusted users.

Generated by OpenCVE AI on May 19, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4609-1 imagemagick security update
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Debian DSA Debian DSA DSA-6310-1 imagemagick security update
History

Tue, 19 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 13 May 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Mon, 11 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-21 and 6.9.13-46, a malicious MIFF file could trigger an overflow when a user opens it in the display tool and right-clicks a tile to invoke the Load / Update menu item. This vulnerability is fixed in 7.1.2-21 and 6.9.13-46.
Title ImageMagick: Stack buffer overflow in XTileImage
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:30:47.683Z

Reserved: 2026-04-23T16:05:01.710Z

Link: CVE-2026-42050

cve-icon Vulnrichment

Updated: 2026-05-12T13:30:42.666Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T20:25:42.280

Modified: 2026-05-13T19:38:45.640

Link: CVE-2026-42050

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-11T19:46:50Z

Links: CVE-2026-42050 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T02:00:14Z

Weaknesses
  • CWE-121

    Stack-based Buffer Overflow

  • CWE-131

    Incorrect Calculation of Buffer Size