Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-write in the server process. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.
Published: 2026-06-10
Score: 4.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap buffer over‑write vulnerability exists in ImageMagick’s distributed pixel cache server. When an attacker connects to the magick -distribute‑cache service, the server can overwrite memory beyond the bounds of a heap buffer, potentially corrupting application state or causing a crash. This flaw can lead to data loss or a denial‑of‑service condition, and if exploited further could open a path to arbitrary code execution, though the CVE data does not explicitly confirm that capability.

Affected Systems

The vulnerability affects ImageMagick releases prior to version 6.9.13‑48 and 7.1.2‑23. Systems running these earlier releases of ImageMagick and exposing the distributed pixel cache service are at risk. Upgrading to at least 6.9.13‑48 or 7.1.2‑23 mitigates the flaw.

Risk and Exploitability

The CVSS score of 4.1 indicates moderate risk; no EPSS score is available, and the issue is not listed in CISA’s KEV catalog. An attacker can remotely connect to the distributed pixel cache service—an inference from the description—to trigger the heap over‑write. Because the flaw requires network access to the service, protecting that interface reduces exploit likelihood, but the lack of a higher severity score suggests that the impact, while present, is not catastrophic without additional compromise steps.

Generated by OpenCVE AI on June 10, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch by upgrading to ImageMagick 6.9.13‑48 or later, or 7.1.2‑23 or later.
  • Restrict network exposure of the magick –distribute‑cache service so that only trusted hosts can connect, for example via firewalls or ACLs.
  • If the distributed cache functionality is not required, disable it entirely to eliminate the attack surface while awaiting an official fix.

Generated by OpenCVE AI on June 10, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4609-1 imagemagick security update
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Debian DSA Debian DSA DSA-6310-1 imagemagick security update
Github GHSA Github GHSA GHSA-p93h-f2jc-477j ImageMagick: Heap Buffer Over-Write in distributed pixel cache server
History

Wed, 10 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-write in the server process. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.
Title ImageMagick: Heap Buffer Over-Write in distributed pixel cache server
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T21:46:45.283Z

Reserved: 2026-05-15T21:46:51.548Z

Link: CVE-2026-46692

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T23:16:47.450

Modified: 2026-06-10T23:16:47.450

Link: CVE-2026-46692

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:30:44Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow