CVE-2022-28463
Description
A heap-buffer-overflow in ImageMagick 7.1.0-27's CIN decoder allows potential code execution via crafted images.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-buffer-overflow in ImageMagick 7.1.0-27's CIN decoder allows potential code execution via crafted images.
Vulnerability
ImageMagick 7.1.0-27 is vulnerable to a heap-buffer-overflow in the PushLongPixel function located in quantum-private.h. The issue is triggered when decoding crafted CIN image files. The CIN decoder reads the image_offset field from the file header without proper validation. If image_offset is less than 712 bytes, the subsequent read operations access heap memory outside the allocated buffer, leading to a buffer overflow. This vulnerability is documented in the ImageMagick issue #4988 and affects version 7.1.0-27 [1][2][3].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious CIN image file with an image_offset value below 712. The victim must open the crafted image using ImageMagick (e.g., via an application that processes user-supplied images). No authentication or special privileges are required. The overflow occurs during the import of pixel data, allowing the attacker to read out-of-bounds heap data [1].
Impact
Successful exploitation can result in information disclosure of heap memory contents, potentially revealing sensitive data. Under certain conditions, the attacker might achieve arbitrary code execution by controlling the data read from out-of-bounds memory, leading to a full system compromise. The vulnerability has high severity due to the potential for remote code execution [1][2][3].
Mitigation
The vulnerability is fixed in upstream commits ca3654e for ImageMagick 7 and e6ea587 for ImageMagick 6. Users should update to the latest patched versions or apply the workaround by ensuring that any CIN image processed has an image_offset of at least 712 bytes. No known exploitation in the wild has been reported as of the publication date [2][3].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
27(expand)+ 1 more
- (no CPE)
- (no CPE)range: = 7.1.0-27
- osv-coords25 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ImageMagick&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 7.0.7.34-150200.10.26.1+ 24 more
- (no CPE)range: < 7.0.7.34-150200.10.26.1
- (no CPE)range: < 7.0.7.34-150200.10.26.1
- (no CPE)range: < 7.1.1.17-1.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 7.0.7.34-150200.10.26.1
- (no CPE)range: < 7.1.0.9-150400.6.6.1
- (no CPE)range: < 7.0.7.34-150200.10.26.1
- (no CPE)range: < 7.1.0.9-150400.6.6.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check in the CIN image decoder allows a heap-buffer-overflow read when importing quantum pixels."
Attack vector
An attacker supplies a specially crafted CIN image file that, when processed by ImageMagick's `ReadCINImage` function, causes `ImportQuantumPixels` to read beyond the bounds of a heap-allocated pixel buffer [ref_id=1]. The overflow is a 1-byte read past the end of a 1416-byte region, detected by AddressSanitizer as a heap-buffer-overflow in `PushLongPixel` [ref_id=1]. No authentication or special privileges are required — the attacker only needs to deliver the malformed image to a victim or service that uses ImageMagick to decode it.
Affected code
The heap-buffer-overflow occurs in `PushLongPixel` at `MagickCore/quantum-private.h:256:27`, called via `ImportRGBQuantum` in `MagickCore/quantum-import.c:4061` and `ImportQuantumPixels` at `quantum-import.c:4774`, ultimately triggered from `ReadCINImage` in `coders/cin.c:774` [ref_id=1]. The vulnerable code path is exercised when decoding a crafted CIN image file.
What the fix does
The issue report does not include a patch or a committed fix [ref_id=1]. The advisory describes the crash but provides no remediation guidance or code change. As of the report, ImageMagick 7.1.0-27 is affected and no fix has been published in the referenced issue.
Preconditions
- inputThe victim must process a crafted CIN image file using ImageMagick.
- authNo authentication or special privileges required.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.debian.org/debian-lts-announce/2022/05/msg00018.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2023/05/msg00020.htmlmitremailing-list
- github.com/ImageMagick/ImageMagick/commit/ca3654ebf7a439dc736f56f083c9aa98e4464b7fmitre
- github.com/ImageMagick/ImageMagick/issues/4988mitre
- github.com/ImageMagick/ImageMagick6/commit/e6ea5876e0228165ee3abc6e959aa174cee06680mitre
News mentions
0No linked articles in our index yet.