Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, an incorrect loop in the ICON decoder can result in an out of bounds heap write resulting in a crash. This issue has been patched in versions 6.9.13-50 and 7.1.2-25.
Published: 2026-06-10
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick’s ICON decoder contains an incorrectly constructed loop that allows a crafted icon file to write beyond the bounds of a heap buffer. This heap overflow can corrupt memory and cause the process to crash. The current description indicates the impact is a denial of service; while the overflow could in theory lead to code execution if the memory overwrite is exploited further, no such weakness is confirmed in the advisory.

Affected Systems

Vendors and products affected include ImageMagick. Any installation of ImageMagick prior to version 6.9.13‑50 or 7.1.2‑25 is vulnerable. The vendor has released patches for these versions and later releases.

Risk and Exploitability

The CVSS score of 7.5 reflects a high severity level. No EPSS score is available and the issue is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. Attackers would need to supply a malicious ICON file to the vulnerable decoder, which is feasible in web or desktop applications that process user-supplied images. Because the vulnerability lies in a non-privileged component, it results primarily in local denial of service rather than privilege escalation or remote code execution at this time.

Generated by OpenCVE AI on June 10, 2026 at 23:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 6.9.13‑50 or later, or 7.1.2‑25 or later, which contain the fix for the out‑of‑bounds write.
  • If an upgrade cannot be performed immediately, block or remove support for processing ICON files, or otherwise validate and sanitize input files before they reach the decoder to prevent malformed data from triggering the loop.
  • Run image‑processing services with the least privilege required and consider isolating them in containers or sandboxed environments so that a crash or potential memory corruption does not affect the entire system.

Generated by OpenCVE AI on June 10, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, an incorrect loop in the ICON decoder can result in an out of bounds heap write resulting in a crash. This issue has been patched in versions 6.9.13-50 and 7.1.2-25.
Title ImageMagick: Out-of-bounds write in ICON decoder due to incorrect loop
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T22:03:11.449Z

Reserved: 2026-06-09T16:31:21.495Z

Link: CVE-2026-53461

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T23:16:50.430

Modified: 2026-06-10T23:16:50.430

Link: CVE-2026-53461

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:45:44Z

Weaknesses