ImageMagick, a widely used open‑source image manipulation library, has a heap buffer over‑write in the MIFF encoder when LZMA compression is used. The missing bounds check allows a crafted image to write beyond the allocated buffer, which can corrupt memory and may result in arbitrary code execution, data corruption, or a service crash. The vulnerability is categorized under CWE‑131, CWE‑787, and CWE‑835, reflecting improper buffer size calculation, heap buffer overflow, and unbounded array indexing, respectively. The CVSS score of 5.5 indicates a moderate severity that warrants attention but does not imply guaranteed remote execution.

All installations of ImageMagick prior to versions 6.9.13‑48 and 7.1.2‑23 are affected. The vendor product is ImageMagick ImageMagick. The issue was fixed in the aforementioned releases, so any deployment using older versions should upgrade to at least these patch levels.

The CVSS rating of 5.5 reflects a moderate risk; the EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves delivering a malicious MIFF file containing LZMA compressed data to a vulnerable instance of ImageMagick, either locally or remotely depending on how the library is accessed. Successful exploitation would require the library to process the crafted file, triggering the out‑of‑bounds write and potentially allowing code execution or a denial of service.