ImageMagick has Possible Heap Information Disclosure in PSD ZIP Decompression
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap information disclosure vulnerability in ImageMagick's PSD handler allows uninitialized memory to leak when processing crafted ZIP-compressed layer data.
Vulnerability
Details
ImageMagick [1] is a widely used open-source image processing suite. Prior to versions 7.1.2-15 and 6.9.13-40, a heap information disclosure vulnerability exists in its PSD (Adobe Photoshop) format handler [2]. The root cause is that when processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, the code does not initialize the pixel buffer. This results in uninitialized heap memory being leaked into the output image [4].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted PSD file to any application that uses ImageMagick to process images. No authentication is required if the application accepts user-uploaded images. The attack vector is local or remote, depending on how ImageMagick is integrated. The only prerequisite is that the application processes PSD files using an affected version of ImageMagick.
Impact
Successful exploitation leads to information disclosure of heap memory contents. This could expose sensitive data such as cryptographic keys, passwords, or other confidential information that resides in the heap of the ImageMagick process or other processes sharing memory. The severity is moderate, as it requires a crafted file and does not directly allow code execution.
Mitigation
The vulnerability has been patched in ImageMagick versions 7.1.2-15 and 6.9.13-40 [2]. The fix, as shown in commit 51c9d33, initializes the pixel buffer with zeros before reading compressed data [4]. Users should update to the latest version. As a workaround, administrators can disable PSD support in ImageMagick's policy.xml if not required.
- GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
- NVD - CVE-2026-24481
- Initialize the pixels with empty values to prevent possible heap info… · ImageMagick/ImageMagick@51c9d33
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-x86NuGet | < 14.10.3 | 14.10.3 |
Affected products
2<7.1.2-15 || <6.9.13-40+ 1 more
- (no CPE)range: <7.1.2-15 || <6.9.13-40
- (no CPE)range: >= 7.0.0, < 7.1.2-15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-96pc-27rx-pr36ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24481ghsaADVISORY
- github.com/ImageMagick/ImageMagick/commit/51c9d33f4770cdcfa1a029199375d570af801c97ghsaWEB
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-96pc-27rx-pr36ghsax_refsource_CONFIRMWEB
- github.com/dlemstra/Magick.NET/releases/tag/14.10.3ghsaWEB
News mentions
0No linked articles in our index yet.