Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-read in the server process. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.
Published: 2026-06-10
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick, a widely used image editing library, contains a heap buffer over-read flaw in its distributed pixel cache server that allows an attacker who can connect to the magick -distribute-cache service to read memory beyond the intended buffer. This out‑of‑bounds read (CWE‑125) may expose sensitive data stored in memory and is compounded by an authentication bypass weakness (CWE‑287). The vulnerability is not a remote code execution flaw, but it can leak confidential information to the attacker.

Affected Systems

The flaw affects ImageMagick versions prior to 6.9.13‑48 and versions prior to 7.1.2‑23. Any installation that exposes the distributed pixel cache service to untrusted users is vulnerable until updated to the patched releases.

Risk and Exploitability

With a CVSS score of 5.7 this vulnerability is considered medium severity. No EPSS score is currently available, and the issue is not listed in the CISA KEV catalog, reducing the likelihood of widespread exploitation. However, the attack requires the ability to connect to the magick -distribute-cache service, so systems exposed on public networks or with inadequate network segmentation could be targeted. Once exploited, the attacker can read arbitrary memory contents from the server process.

Generated by OpenCVE AI on June 10, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to 6.9.13‑48 or later, or 7.1.2‑23 or later versions, which include the heap buffer over-read fix.
  • If an upgrade is not immediately possible, restrict access to the distributed pixel cache service to trusted hosts or networks and enforce strong authentication to mitigate the CWE‑287 weakness.
  • Apply network segmentation or firewall rules to block untrusted inbound connections to the magick -distribute-cache port, thereby limiting exposure to the vulnerable service.

Generated by OpenCVE AI on June 10, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4609-1 imagemagick security update
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Debian DSA Debian DSA DSA-6310-1 imagemagick security update
Github GHSA Github GHSA GHSA-6gxq-f64p-5w6f ImageMagick: Heap Buffer Over-Read in distributed pixel cache server
History

Wed, 10 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-read in the server process. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.
Title ImageMagick: Heap Buffer Over-Read in distributed pixel cache server
Weaknesses CWE-125
CWE-287
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T21:51:18.236Z

Reserved: 2026-05-18T21:25:34.497Z

Link: CVE-2026-47166

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T23:16:48.180

Modified: 2026-06-10T23:16:48.180

Link: CVE-2026-47166

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:30:44Z

Weaknesses