Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-read in the server process. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.
Published: 2026-06-10
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick, a widely used image editing library, contains a heap buffer over-read flaw in its distributed pixel cache server that allows an attacker who can connect to the magick -distribute-cache service to read memory beyond the intended buffer. This out‑of‑bounds read (CWE‑125) may expose sensitive data stored in memory and is compounded by an authentication bypass weakness (CWE‑287). The vulnerability is not a remote code execution flaw, but it can leak confidential information to the attacker.

Affected Systems

The flaw affects ImageMagick versions prior to 6.9.13‑48 and versions prior to 7.1.2‑23. Any installation that exposes the distributed pixel cache service to untrusted users is vulnerable until updated to the patched releases.

Risk and Exploitability

With a CVSS score of 5.7 this vulnerability is considered medium severity. No EPSS score is currently available, and the issue is not listed in the CISA KEV catalog, reducing the likelihood of widespread exploitation. However, the attack requires the ability to connect to the magick -distribute-cache service, so systems exposed on public networks or with inadequate network segmentation could be targeted. Once exploited, the attacker can read arbitrary memory contents from the server process.

Generated by OpenCVE AI on June 10, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to 6.9.13‑48 or later, or 7.1.2‑23 or later versions, which include the heap buffer over-read fix.
  • If an upgrade is not immediately possible, restrict access to the distributed pixel cache service to trusted hosts or networks and enforce strong authentication to mitigate the CWE‑287 weakness.
  • Apply network segmentation or firewall rules to block untrusted inbound connections to the magick -distribute-cache port, thereby limiting exposure to the vulnerable service.

Generated by OpenCVE AI on June 10, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4609-1 imagemagick security update
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Debian DSA Debian DSA DSA-6310-1 imagemagick security update
Github GHSA Github GHSA GHSA-6gxq-f64p-5w6f ImageMagick: Heap Buffer Over-Read in distributed pixel cache server
History

Sat, 13 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 11 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Thu, 11 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 10 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-read in the server process. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.
Title ImageMagick: Heap Buffer Over-Read in distributed pixel cache server
Weaknesses CWE-125
CWE-287
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H'}


Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T14:34:58.309Z

Reserved: 2026-05-18T21:25:34.497Z

Link: CVE-2026-47166

cve-icon Vulnrichment

Updated: 2026-06-11T14:34:53.482Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T23:16:48.180

Modified: 2026-06-11T18:42:44.020

Link: CVE-2026-47166

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-10T21:51:18Z

Links: CVE-2026-47166 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:30:44Z

Weaknesses