| 0 |
| url |
VCID-1dkp-eq4m-kuey |
| vulnerability_id |
VCID-1dkp-eq4m-kuey |
| summary |
ImageMagick: Integer overflow in DIB coder can result in out of bounds read or write
An integer overflow in DIB coder can result in out of bounds read or write |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28693, GHSA-hffp-q43q-qq76
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1dkp-eq4m-kuey |
|
| 1 |
| url |
VCID-4hmq-1sx8-skcj |
| vulnerability_id |
VCID-4hmq-1sx8-skcj |
| summary |
ImageMagick has heap buffer overflow in WriteXWDImage due to CARD32 arithmetic overflow in bytes_per_line calculation
A 32-bit unsigned integer overflow in the XWD (X Windows) encoder can cause an undersized heap buffer allocation. When writing a extremely large image an out of bounds heap write can occur.
```
=================================================================
==741961==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000083dc at pc 0x56553b4c4245 bp 0x7ffd9d20fef0 sp 0x7ffd9d20fee0
WRITE of size 1 at 0x5020000083dc thread T0
``` |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-30937, GHSA-qpg4-j99f-8xcg
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4hmq-1sx8-skcj |
|
| 2 |
| url |
VCID-cnvc-vfa2-z3fq |
| vulnerability_id |
VCID-cnvc-vfa2-z3fq |
| summary |
ImageMagick has Heap Buffer Over-Read in BilateralBlurImage
BilateralBlurImage contains a heap buffer over-read caused by an incorrect conversion. When processing a crafted image with the `-bilateral-blur` operation an out of bounds read can occur.
```
=================================================================
==676172==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50a0000079c0 at pc 0x57b483c722f7 bp 0x7fffc0acd380 sp 0x7fffc0acd370
READ of size 4 at 0x50a0000079c0 thread T0
``` |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-30935, GHSA-cqw9-w2m7-r2m2
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cnvc-vfa2-z3fq |
|
| 3 |
| url |
VCID-e59v-wtp4-v7ev |
| vulnerability_id |
VCID-e59v-wtp4-v7ev |
| summary |
ImageMagick: Write heap-buffer-overflow in PCL encoder via undersized output buffer
A heap-buffer-overflow vulnerability exists in the PCL encode due to an undersized output buffer allocation.
```
WRITE of size 1 at 0x7e79f91f31a0 thread T0
``` |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28686, GHSA-467j-76j7-5885
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e59v-wtp4-v7ev |
|
| 4 |
| url |
VCID-j589-992a-jfa7 |
| vulnerability_id |
VCID-j589-992a-jfa7 |
| summary |
ImageMagick has a Path Policy TOCTOU symlink race bypass
`domain="path"` authorization is checked before final file open/use. A symlink swap between check-time and use-time bypasses policy-denied read/write. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28689, GHSA-493f-jh8w-qhx3
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j589-992a-jfa7 |
|
| 5 |
| url |
VCID-m8u5-3zy6-zyh8 |
| vulnerability_id |
VCID-m8u5-3zy6-zyh8 |
| summary |
ImageMagick has heap use-after-free in the MSL encoder
A heap-use-after-free vulnerability exists in the MSL encoder, where a cloned image is destroyed twice. The MSL coder does not support writing MSL so the write capability has been removed.
```
SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/image.c:1195 in DestroyImage
Shadow bytes around the buggy address:
0x0a4e80007450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a4e80007460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a4e80007470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a4e80007480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a4e80007490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0a4e800074a0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
0x0a4e800074b0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0a4e800074c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4e800074d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4e800074e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4e800074f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
``` |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28688, GHSA-xxw5-m53x-j38c
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m8u5-3zy6-zyh8 |
|
| 6 |
| url |
VCID-nfr9-r9x3-4ugt |
| vulnerability_id |
VCID-nfr9-r9x3-4ugt |
| summary |
ImageMagick has a heap buffer over-read via 32-bit integer overflow in MAT decoder
In MAT decoder uses 32-bit arithmetic due to incorrect parenthesization resulting in a heap over-read.
```
=================================================================
==969652==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x506000003b40 at pc 0x555557b2a926 bp 0x7fffffff4c80 sp 0x7fffffff4c70
READ of size 8 at 0x506000003b40 thread T0
``` |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28692, GHSA-mrmj-x24c-wwcv
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nfr9-r9x3-4ugt |
|
| 7 |
| url |
VCID-qrsw-ekum-zue2 |
| vulnerability_id |
VCID-qrsw-ekum-zue2 |
| summary |
ImageMagick has heap-based buffer overflow in UHDR encoder
A heap-based buffer overflow in the UHDR encoder can happen due to truncation of a value and it would allow an out of bounds write.
```
================================================================
==2158399==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x521000039500 at pc 0x562a4a42f968 bp 0x7ffcca4ed6c0 sp 0x7ffcca4ed6b0
WRITE of size 1 at 0x521000039500 thread T0
``` |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-30931, GHSA-h95r-c8c7-mrwx
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qrsw-ekum-zue2 |
|
| 8 |
| url |
VCID-t7w8-fz8u-zud8 |
| vulnerability_id |
VCID-t7w8-fz8u-zud8 |
| summary |
ImageMagick has stack buffer overflow in MagnifyImage
MagnifyImage uses a fixed-size stack buffer. When using a specific image it is possible to overflow this buffer and corrupt the stack. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-30929, GHSA-rqq8-jh93-f4vg
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t7w8-fz8u-zud8 |
|
| 9 |
| url |
VCID-vk9r-ve4j-w7g2 |
| vulnerability_id |
VCID-vk9r-ve4j-w7g2 |
| summary |
ImageMagick is vulnerable to heap buffer over-write on 32-bit systems in SFW decoder
An overflow on 32-bit systems can cause a crash in the SFW decoder when processing extremely large images. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31853, GHSA-56jp-jfqg-f8f4
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vk9r-ve4j-w7g2 |
|
| 10 |
| url |
VCID-xuxk-mcdm-q3fr |
| vulnerability_id |
VCID-xuxk-mcdm-q3fr |
| summary |
ImageMagick is vulnerable to Heap Overflow when writing extremely large image profile in the PNG encoder
An extremely large image profile could result in a heap overflow when encoding a PNG image. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-30883, GHSA-qmw5-2p58-xvrc
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xuxk-mcdm-q3fr |
|