VYPR
Vypr IntelligenceAI-generatedMay 31, 2026· 12 CVEs

ImageMagick: 12 CVEs Disclosed in a Single Day — Heap Bugs, Policy Bypasses, and Stack Overflows

A batch of 12 ImageMagick vulnerabilities was published on May 18, 2026, spanning heap buffer over-writes, use-after-free, stack overflow, infinite loops, and policy bypasses across multiple decoders and encoders.

Key findings

  • 12 CVEs disclosed in a single day across ImageMagick encoders, decoders, and operations
  • Heap buffer over-writes affect JP2 encoder (CVE-2026-46559), MIFF encoder (CVE-2026-46521), and IPL decoder (CVE-2026-46520)
  • Use-after-free in MSL decoder (CVE-2026-46523) and stack overflow in fx operation (CVE-2026-46557)
  • Policy bypasses in MNG coder (CVE-2026-45664) and PSD decoder (CVE-2026-45031) allow exceeding list-length limits
  • Infinite loop in MIFF decoder (CVE-2026-46522) enables CPU-exhaustion denial of service
  • All CVEs were published within a 5-hour window on May 18, 2026

On May 18, 2026, a batch of 12 CVEs affecting ImageMagick — the widely used open-source image processing library — was disclosed within a five-hour window. The vulnerabilities span heap buffer over-writes, use-after-free, stack overflow, infinite loops, out-of-bounds reads, and policy bypasses across a broad set of coders and operations, including JP2, MIFF, MSL, IPL, PSD, MNG, and IPTC. While none carry a published CVSS score above "high," the sheer breadth of affected components means that any application relying on ImageMagick to process untrusted images — from web upload handlers to email attachment scanners — should treat this batch as a priority patch event.

Heap buffer over-writes dominate the batch. CVE-2026-46559 describes a single-byte heap buffer over-write in the JP2 encoder triggered by specifying certain options. CVE-2026-46521 hits the MIFF encoder when LZMA compression is used, causing an out-of-bounds write due to a missing bounds check. CVE-2026-46520 is a heap buffer over-write in the IPL decoder that occurs when reading multiple images with different dimensions — a common scenario in batch-processing pipelines. A single-byte out-of-bounds read also appears in the meta encoder (CVE-2026-45358) and the IPTC encoder (CVE-2026-42326), both triggered by malicious input files.

Memory corruption in decoders and operations. CVE-2026-46523 is a use-after-free in the MSL (Magick Scripting Language) decoder, a code path that processes scripted image instructions and is a historically sensitive attack surface in ImageMagick. CVE-2026-46557 causes a stack overflow in the fx operation — a per-pixel expression evaluator — when a crafted argument bypasses a missing depth check. CVE-2026-45624 produces a 24-byte heap buffer over-read in the distort operation during polynomial distortion with specific arguments. CVE-2026-45359 triggers a heap buffer over-read in the connected-components operation when the user supplies an invalid connected-components:keep-top define.

Denial-of-service and resource-exhaustion bugs. CVE-2026-46522 is an infinite loop in the MIFF decoder caused by a missing sanity check, leading to CPU exhaustion from a crafted file. Two policy-bypass CVEs — CVE-2026-45664 in the MNG coder and CVE-2026-45031 in the PSD decoder — allow an attacker to exceed the list-length resource policy limit, enabling excessive resource consumption. In the MNG case, more images than the policy allows can be read; in the PSD case, other security limits still apply but the list-length guard is circumvented.

Patch status and response. ImageMagick maintainers have addressed the full batch. Users and downstream integrators should update to the latest release of ImageMagick that includes fixes for these CVEs. As with prior ImageMagick disclosure events, the recommended mitigation for production systems that process untrusted images is to combine the software update with a hardened policy.xml configuration — disabling coders that are not required for the application's workflow.

Why this batch matters. ImageMagick sits in the processing pipeline of countless web applications, content management systems, and media platforms. A single batch of 12 CVEs touching encoders, decoders, and image operators means that attackers have multiple entry points to probe. The mix of memory-safety bugs (heap over-writes, use-after-free, stack overflow) and logic bugs (policy bypass, infinite loop) makes this a particularly broad disclosure. Organizations running ImageMagick should verify their patch level and review their resource-policy configuration to limit blast radius from any single coder.

AI-written article. Grounded in 12 CVE records listed below.