ImageMagick
CVE-2026-53463
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Network-reachable via crafted image, no privileges needed, user interaction required to process the file, and impact is strictly a low-severity availability crash with no C or I impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, when passing incorrect arguments in the distort operation a null pointer deference will occur. This issue has been patched in versions 6.9.13-50 and 7.1.2-25.
AnalysisAI
Null pointer dereference in ImageMagick's distort operation crashes the processing process when an attacker supplies malformed distort arguments via a crafted image. Affected are all ImageMagick 6.x versions prior to 6.9.13-50 and all 7.x versions prior to 7.1.2-25. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The ImageMagick distort operation must be invoked on attacker-controlled input - meaning the target application must accept user-supplied images and pass them through ImageMagick's distort code path with attacker-influenced arguments. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.3 (Medium) accurately reflects the limited impact ceiling here. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker uploads a crafted image to a web application that uses ImageMagick's distort operation during server-side processing (e.g., for thumbnail generation with perspective correction). When the application invokes ImageMagick on the malicious file, the distort code receives the malformed arguments, dereferences a NULL pointer, and the ImageMagick process terminates. … |
| Remediation | Upgrade to ImageMagick 6.9.13-50 (6.x branch) or 7.1.2-25 (7.x branch) as documented in the vendor advisory at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p9rq-q46c-g4x6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Denial of service in ImageMagick prior to 6.9.13-50 and 7.1.2-25 allows remote attackers to trigger an out-of-memory con
Out-of-bounds heap write in ImageMagick's ICON decoder allows remote attackers to crash the application by supplying a m
Heap-based buffer over-write in ImageMagick's SF3 encoder prior to version 7.1.2-25 allows an attacker who can supply a
Heap-use-after-free in ImageMagick's CheckPrimitiveExtent function allows remote attackers to crash the image processing
Memory leak in ImageMagick's wand option parser degrades availability when invalid options are supplied, affecting all v
Share
External POC / Exploit Code
Leaving vuln.today