Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, when reading multiple images with different dimensions an out of bounds heap write can occur. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.
Published: 2026-06-10
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out-of-bounds heap write occurs when ImageMagick processes multiple image files of different dimensions in a single read operation, allowing a malicious user to overwrite arbitrary memory. The vulnerability is a classic buffer overflow (CWE-122, CWE-787) and can lead to image processing crashes, denial of service, or potentially arbitrary code execution if the attacker controls the image data. The impact is widespread because any system that accepts untrusted images for conversion or manipulation is at risk.

Affected Systems

The flaw exists in the ImageMagick suite for all versions released prior to 6.9.13-48 and 7.1.2-23. Any deployment using those older releases and performing multi‑image reads with variable dimensions is vulnerable. The patch is released in the mentioned newer versions, which correct the heap bounds checking when decoding IPL data.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered high severity. No EPSS score is available, but the lack of Kinetic Exploitation Vulnerabilities reporting suggests no widespread active exploitation is documented yet. However, because attackers can supply crafted image files, the likely attack vector is a supply‑chain or web‑based vector where untrusted images are processed. The risk remains substantial for any environment that uses ImageMagick on untrusted input.

Generated by OpenCVE AI on June 10, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to at least 6.9.13‑48 or 7.1.2‑23 to apply the heap bounds fix
  • If an upgrade cannot be performed immediately, reject or isolate batches that contain images of differing dimensions, processing each image separately
  • Run ImageMagick in a restricted environment or with the least privileges necessary to reduce the potential impact should a buffer overflow be triggered

Generated by OpenCVE AI on June 10, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4609-1 imagemagick security update
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Debian DSA Debian DSA DSA-6310-1 imagemagick security update
Github GHSA Github GHSA GHSA-36wm-hprc-mcf5 ImageMagick: Heap Buffer Over-Write in IPL decoder when reading multiple images of different dimensions
History

Wed, 10 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, when reading multiple images with different dimensions an out of bounds heap write can occur. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.
Title ImageMagick: Heap Buffer Over-Write in IPL decoder when reading multiple images of different dimensions
Weaknesses CWE-122
CWE-787
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T21:31:57.105Z

Reserved: 2026-05-14T19:12:32.755Z

Link: CVE-2026-46520

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T22:16:59.193

Modified: 2026-06-10T22:16:59.193

Link: CVE-2026-46520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T22:30:22Z

Weaknesses