Skip to main content

ImageMagick EUVDEUVD-2026-43172

| CVE-2026-56372 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-07-11 VulnCheck GHSA-x98x-mp75-v6m4
4.8
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.4 MEDIUM

Local file processing (AV:L), user must trigger conversion (UI:R), no account needed (PR:N); OOB read yields partial heap disclosure (C:L) and potential crash (A:L), no write primitive (I:N).

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 11, 2026 - 15:01 EUVD
Analysis Generated
Jul 11, 2026 - 14:16 vuln.today

DescriptionCVE.org

ImageMagick before 7.1.2-19 contains a heap buffer overflow vulnerability in the magnify operation that allows attackers to read out of bounds memory. An unrecognized magnify:method value triggers an out of bounds read, potentially exposing sensitive information or causing denial of service.

AnalysisAI

Heap-based out-of-bounds read in ImageMagick before 7.1.2-19 is triggered when processing an image carrying an unrecognized magnify:method value, causing the magnify operation to read beyond allocated heap memory. Affected systems running any version prior to 7.1.2-19 can be impacted when a user or automated pipeline processes a specially crafted image file, with outcomes ranging from partial memory disclosure to application crash. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft image with invalid magnify:method value
Delivery
Deliver to target via upload or file share
Exploit
User or pipeline invokes ImageMagick on image
Execution
Magnify operation encounters unrecognized method
Persist
Heap out-of-bounds read triggered
Impact
Adjacent heap memory leaked or process crashes

Vulnerability AssessmentAI

Exploitation Exploitation requires that a user or automated process invoke ImageMagick's magnify operation on an attacker-controlled image file containing an unrecognized magnify:method value - this is the specific triggering condition per the CVE description. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L) scores 4.8 Medium, reflecting a local attack vector with required user interaction and only low availability impact on the vulnerable system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious image file embedding an unrecognized magnify:method value in its metadata or processing directives, then uploads it to a web application or shares it with a user whose workflow invokes ImageMagick (e.g., a CMS thumbnail generator, a document converter, or a command-line convert invocation). When ImageMagick's magnify operation processes the file and encounters the unrecognized method value, it performs a heap out-of-bounds read, potentially leaking adjacent heap contents to the attacker (if output is reflected) or crashing the processing process. …
Remediation The primary fix is upgrading to ImageMagick 7.1.2-19 or later, as confirmed by the upstream security advisory GHSA-8vfj-q2cp-5m5j at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8vfj-q2cp-5m5j. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-15277 MEDIUM POC
6.5 Oct 12

ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when proc

CVE-2016-5841 CRITICAL POC
9.8 Dec 13

Integer overflow in MagickCore/profile.c in ImageMagick before 7.0.2-1 allows remote attackers to cause a denial of serv

CVE-2016-3717 MEDIUM POC
5.5 May 05

The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files vi

CVE-2016-5118 CRITICAL
9.8 Jun 10

The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbit

CVE-2016-5689 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2016-5690 CRITICAL POC
9.8 Dec 13

The ReadDCMImage function in DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to

CVE-2016-5691 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2017-14138 CRITICAL POC
9.8 Sep 04

ImageMagick 7.0.6-5 has a memory leak vulnerability in ReadWEBPImage in coders/webp.c because memory is not freed in cer

CVE-2026-23876 CRITICAL POC
9.8 Jan 20

Heap buffer overflow in ImageMagick's XBM image decoder (ReadXBMImage) lets remote attackers write attacker-controlled d

CVE-2023-34152 CRITICAL POC
9.8 May 30

A vulnerability was found in ImageMagick. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2019-19952 CRITICAL POC
9.8 Dec 24

In ImageMagick 7.0.9-7 Q16, there is a use-after-free in the function MngInfoDiscardObject of coders/png.c, related to R

CVE-2018-14551 CRITICAL POC
9.8 Jul 23

The ReadMATImageV4 function in coders/mat.c in ImageMagick 7.0.8-7 uses an uninitialized variable, leading to memory cor

Share

EUVD-2026-43172 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy