Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, when writing an IPTC output file a malicious input file could cause an out of bounds read of a single byte. This issue has been patched in versions 6.9.13-47 and 7.1.2-22.
Published: 2026-06-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A single‑byte out‑of‑bounds read occurs when ImageMagick generates an IPTC output file from a malicious input. This flaw, identified as CWE‑125 and CWE‑191, allows an attacker to read memory beyond the intended buffer, potentially exposing sensitive data from the process. The vulnerability does not provide code execution or denial‑of‑service capabilities, but it can leak internal data, thereby compromising confidentiality.

Affected Systems

ImageMagick versions prior to 6.9.13‑47 and 7.1.2‑22 are affected. Users employing older releases of the core ImageMagick library should upgrade to the specified patched versions or later.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate impact. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, suggesting limited active exploitation. The attack vector is inferred to be local: a malicious file input that an application using ImageMagick processes. An attacker needs to supply crafted input to an application that writes IPTC data, making exploitation plausible in controlled environments.

Generated by OpenCVE AI on June 10, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch that addresses the buffer over‑read (CWE‑125) by upgrading ImageMagick to version 6.9.13‑47 or 7.1.2‑22 or later
  • Reduce exposure to the removed input validation flaw (CWE‑191) by restricting production systems from processing untrusted images that include IPTC data
  • Minimize risk of the integer overflow vulnerability (CWE‑191) by limiting the use of IPTC write functionality in your applications to trusted contexts

Generated by OpenCVE AI on June 10, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4609-1 imagemagick security update
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Debian DSA Debian DSA DSA-6310-1 imagemagick security update
Github GHSA Github GHSA GHSA-7wff-wpr6-vmhm ImageMagick: Heap Buffer Over-Read in IPTC encoder
History

Thu, 11 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 10 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, when writing an IPTC output file a malicious input file could cause an out of bounds read of a single byte. This issue has been patched in versions 6.9.13-47 and 7.1.2-22.
Title ImageMagick: Heap Buffer Over-Read in IPTC encoder
Weaknesses CWE-125
CWE-191
References
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}


Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T12:52:52.482Z

Reserved: 2026-04-26T12:37:18.170Z

Link: CVE-2026-42326

cve-icon Vulnrichment

Updated: 2026-06-11T12:52:45.059Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T22:16:57.250

Modified: 2026-06-11T18:41:23.033

Link: CVE-2026-42326

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-10T21:25:35Z

Links: CVE-2026-42326 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:30:43Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-191

    Integer Underflow (Wrap or Wraparound)