Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-24, when using an image with mask the Floyd-Steinberg dithering method it will cause a negative heap buffer over-write. This issue has been patched in version 7.1.2-24.
Published: 2026-06-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a negative heap buffer underwrite that occurs when ImageMagick processes an image with a mask using the Floyd‑Steinberg dithering method. The underwrite can corrupt adjacent heap memory, potentially causing crashes, data corruption, or, in the presence of exploitable code, arbitrary code execution. It is listed under CWE‑787 and is mitigated in version 7.1.2‑24.

Affected Systems

The vulnerability affects ImageMagick by ImageMagick. Any installation older than version 7.1.2‑24 that uses Floyd‑Steinberg dithering on masked images is susceptible. Versions 7.1.2‑24 and later contain the patch.

Risk and Exploitability

The CVSS score of 5.5 gives it a medium severity. No EPSS score is available, and the issue is not listed in CISA KEV. Likely attack vector involves a crafted image file that the software processes; the vulnerability could be exploited locally by an attacker who can supply such a file, or remotely if the image is handled in a publicly exposed service. No evidence of active exploitation is public.

Generated by OpenCVE AI on June 10, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to ImageMagick 7.1.2‑24 or later, where the buffer underwrite is fixed.
  • If upgrading is unavailable, disable Floyd‑Steinberg dithering or avoid processing masked images with that algorithm until a patch can be applied.
  • Restrict access to image‑processing services so that only trusted users or applications can supply images, and validate image inputs before processing.

Generated by OpenCVE AI on June 10, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-24, when using an image with mask the Floyd-Steinberg dithering method it will cause a negative heap buffer over-write. This issue has been patched in version 7.1.2-24.
Title ImageMagick: Heap Buffer Underwrite in Floyd-Steinberg depth dithering
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T14:35:57.156Z

Reserved: 2026-05-22T18:47:27.756Z

Link: CVE-2026-48724

cve-icon Vulnrichment

Updated: 2026-06-11T14:35:49.077Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T23:16:48.950

Modified: 2026-06-11T15:15:54.900

Link: CVE-2026-48724

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:30:44Z

Weaknesses