VYPR
Vypr IntelligenceAI-generatedJun 10, 2026· 25 CVEs

ImageMagick: 25 Vulnerabilities Disclosed in Single Batch on June 10, 2026

ImageMagick users face a significant security update with the disclosure of 25 vulnerabilities, including two rated High, all patched on June 10, 2026.

Key findings

  • 25 ImageMagick vulnerabilities disclosed simultaneously on June 10, 2026.
  • Two High severity flaws (CVSSv3 7.5) involve heap writes, memory exhaustion, and infinite loops.
  • Issues affect various image decoders and encoders, including SF3, ICON, DCM, MAT, MIFF, and MSL.
  • Medium severity bugs include policy bypass, null pointer dereferences, and heap corruption.
  • Patches are available in versions 7.1.2-25, 6.9.13-50, and earlier specific releases.
  • The concentrated disclosure indicates a significant security update for ImageMagick users.

On June 10, 2026, ImageMagick, a widely used open-source image manipulation software, became the subject of a substantial security disclosure, with 25 vulnerabilities identified and patched across its product lines. This concentrated release, occurring within a single hour, highlights a broad range of issues affecting various image formats and internal processing functions.

The vulnerabilities span several categories, including heap buffer overflows, heap buffer over-writes, null pointer dereferences, memory leaks, and out-of-bounds writes. Many of these issues stem from improper handling of specific image formats or operations, such as the SF3 encoder, ICON decoder, DCM decoder, MAT decoder, MIFF encoder, and MSL images.

Notably, two vulnerabilities were classified as High severity (CVSSv3 7.5). CVE-2026-53461, related to an incorrect loop in the ICON decoder, could lead to an out-of-bounds heap write. CVE-2026-53460, stemming from a missing check in AcquireAlignedMemory, could trigger an out-of-Memory condition. Additionally, CVE-2026-46522, also rated High, involves an infinite loop in the MIFF decoder leading to CPU exhaustion, and CVE-2026-46520, another High severity bug, can cause an out-of-bounds heap write when processing multiple images with differing dimensions.

Several Medium severity vulnerabilities also present significant risks. CVE-2026-53463 and CVE-2026-53462, for instance, involve null pointer dereferences and heap-use-after-free conditions respectively, both leading to potential crashes. CVE-2026-49219, rated Medium, could allow policy bypass and unauthorized file reading through symlink manipulation. The distributed pixel cache service was also affected by several Medium severity issues, including heap buffer over-reads (CVE-2026-47166), file descriptor hijacking (CVE-2026-46693), and heap buffer over-writes (CVE-2026-46692).

ImageMagick addressed these issues through a series of updates. Versions 7.1.2-25 and 6.9.13-50 resolve many of the earlier disclosed vulnerabilities. Specific versions like 7.1.2-24 and 6.9.13-48, and 7.1.2-23 and 6.9.13-48, were released to fix other sets of bugs. The most recent patches mentioned for some issues are 7.1.2-22 and 6.9.13-47.

Users of ImageMagick are strongly advised to update to the latest patched versions as soon as possible to mitigate the risks associated with these numerous vulnerabilities. The sheer volume and concentrated disclosure of these flaws underscore the importance of timely patching and security vigilance for software that handles a wide array of file formats and complex processing tasks.

AI-written article. Grounded in 25 CVE records listed below.