Skip to main content

ImageMagick CVE-2026-23876

CRITICAL
Heap-based Buffer Overflow (CWE-122)
2026-01-20 security-advisories@github.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Untrusted XBM reaches the decoder through unauthenticated upload pipelines with no user interaction (AV:N/AC:L/PR:N/UI:N); a controlled heap overflow plausibly threatens confidentiality, integrity, and availability.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.1 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

11
Analysis Updated
Jun 30, 2026 - 04:08 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:08 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:06 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:06 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:23 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:23 NVD
HIGH CRITICAL
CVSS changed
Jun 30, 2026 - 03:23 NVD
8.1 (HIGH) 9.8 (CRITICAL)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Jan 29, 2026 - 13:54 vuln.today
Public exploit code
Patch released
Jan 29, 2026 - 13:54 nvd
Patch available
CVE Published
Jan 20, 2026 - 01:15 nvd
HIGH 8.1

DescriptionNVD

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. Versions 7.1.2-13 and 6.9.13-38 fix the issue.

AnalysisAI

Heap buffer overflow in ImageMagick's XBM image decoder (ReadXBMImage) lets remote attackers write attacker-controlled data past an allocated heap buffer by submitting a maliciously crafted XBM file, affecting all versions prior to 7.1.2-13 and 6.9.13-38. Because any read or identify operation triggers the flaw, it is reachable through ordinary image upload and conversion pipelines, raising the risk of memory corruption and potential remote code execution. Publicly available exploit code exists and a vendor patch is available, though EPSS exploitation probability remains low (0.08%) and it is not listed in CISA KEV.

Technical ContextAI

ImageMagick is a widely embedded image-processing toolkit (and library, via delegates like the PHP Imagick extension and numerous web frameworks) that automatically dispatches files to format-specific decoders. The flaw is in the XBM coder's ReadXBMImage routine; XBM (X BitMap) is a legacy C-source-style monochrome bitmap format whose dimensions and pixel data are parsed from the file itself. The root cause is CWE-122 (heap-based buffer overflow): the decoder allocates a heap buffer based on header-declared geometry but writes decoded pixel data beyond that allocation when the crafted file's contents exceed the computed bounds. Affected CPE is cpe:2.3:a:imagemagick:imagemagick across all versions below the fixed releases. Because ImageMagick auto-detects formats by content, the XBM coder can be reached even when a caller never explicitly requests XBM handling.

RemediationAI

Vendor-released patch: upgrade to ImageMagick 7.1.2-13 or 6.9.13-38 (or later) per advisory https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r49w-jqq3-3gx8; the upstream fix is commit 2fae24192b78fdfdd27d766fd21d90aeac6ea8b8. On managed distributions apply the corresponding packages from Red Hat (https://access.redhat.com/errata/RHSA-2026:3058) or SUSE (https://www.suse.com/support/update/SUSE-SU-2026:0384/ and the 0437/0438/0503 updates) and restart services that link the library. Where immediate patching is not possible, disable the XBM coder via a policy.xml entry such as <policy domain="coder" rights="none" pattern="XBM"/>, which blocks the vulnerable decoder at the cost of losing XBM read/write support; additionally validate and restrict uploaded image formats to an explicit allowlist and enforce ImageMagick resource limits, accepting that content-based format detection means file-extension filtering alone is insufficient.

CVE-2017-15277 MEDIUM POC
6.5 Oct 12

ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when proc

CVE-2016-5841 CRITICAL POC
9.8 Dec 13

Integer overflow in MagickCore/profile.c in ImageMagick before 7.0.2-1 allows remote attackers to cause a denial of serv

CVE-2016-3717 MEDIUM POC
5.5 May 05

The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files vi

CVE-2016-5118 CRITICAL
9.8 Jun 10

The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbit

CVE-2016-5689 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2016-5690 CRITICAL POC
9.8 Dec 13

The ReadDCMImage function in DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to

CVE-2016-5691 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2017-14138 CRITICAL POC
9.8 Sep 04

ImageMagick 7.0.6-5 has a memory leak vulnerability in ReadWEBPImage in coders/webp.c because memory is not freed in cer

CVE-2023-34152 CRITICAL POC
9.8 May 30

A vulnerability was found in ImageMagick. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2019-19952 CRITICAL POC
9.8 Dec 24

In ImageMagick 7.0.9-7 Q16, there is a use-after-free in the function MngInfoDiscardObject of coders/png.c, related to R

CVE-2018-14551 CRITICAL POC
9.8 Jul 23

The ReadMATImageV4 function in coders/mat.c in ImageMagick 7.0.8-7 uses an uninitialized variable, leading to memory cor

CVE-2019-19949 CRITICAL POC
9.1 Dec 24

In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WritePNGImage of coders/png.c, relat

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.41 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.62 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.65 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.54 Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed

Share

CVE-2026-23876 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy