Skip to main content

ImageMagick CVE-2026-42050

| EUVDEUVD-2026-29204 MEDIUM
Stack-based Buffer Overflow (CWE-121)
2026-05-11 GitHub_M
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
May 11, 2026 - 21:03 EUVD
Analysis Generated
May 11, 2026 - 20:30 vuln.today
CVE Published
May 11, 2026 - 19:46 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-21 and 6.9.13-46, a malicious MIFF file could trigger an overflow when a user opens it in the display tool and right-clicks a tile to invoke the Load / Update menu item. This vulnerability is fixed in 7.1.2-21 and 6.9.13-46.

AnalysisAI

Stack buffer overflow in ImageMagick display tool prior to versions 7.1.2-21 and 6.9.13-46 allows local attackers to cause denial of service by crafting a malicious MIFF file that triggers memory corruption when a user opens the file and invokes the Load/Update menu via right-click interaction. CVSS score of 5.5 reflects local attack vector and requirement for user interaction, with impact limited to availability (denial of service) rather than code execution.

Technical ContextAI

ImageMagick's display tool processes MIFF (Magick Image File Format) files, a proprietary image format that encodes image data and metadata. The vulnerability exists in the tile loading logic, specifically in the code path invoked when users right-click on image tiles and select the Load/Update menu item. CWE-121 (stack-based buffer overflow) indicates improper bounds checking when parsing or loading MIFF tile data into a fixed-size stack buffer. The vulnerability affects both legacy (6.9.x) and current (7.1.x) versions, suggesting the flaw has persisted across major version branches.

RemediationAI

Upgrade ImageMagick immediately to version 7.1.2-21 or later (current branch) or 6.9.13-46 or later (legacy branch), depending on your maintenance track. Users can verify their installed version with identify -version. If immediate patching is not feasible, apply compensating controls by disabling or restricting the display tool in production environments, particularly on systems that process untrusted MIFF files. For web services or batch processing pipelines using ImageMagick, consider replacing invocations of the display tool with programmatic image handling via ImageMagick's library APIs (C, Perl, PHP, Python) which do not expose the vulnerable right-click tile loading UI. If the display tool must remain accessible, implement strict file input validation and restrict opening of MIFF files from untrusted sources, or run the display tool in a sandboxed environment with limited privileges to contain the denial-of-service impact. Note that these mitigations trade usability for security; upgrading is the recommended path. Consult the GitHub security advisory at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7mxf-ff4f-jj7p for detailed release notes and additional guidance.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed

Share

CVE-2026-42050 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy