ImageMagick: Heap Buffer Over-read in WaveletDenoise when processing small images
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap buffer over-read in ImageMagick's -wavelet-denoise operator when processing small images could lead to information disclosure or crash.
Vulnerability
Overview
ImageMagick, a widely used open-source image processing suite, contains a heap buffer over-read vulnerability in its -wavelet-denoise operator. The flaw occurs when processing images with small dimensions, causing the software to read memory beyond the allocated buffer boundary. This issue affects versions prior to 7.1.2-15 and 6.9.13-40 [1][4].
Exploitation
Details
An attacker can trigger the vulnerability by supplying a crafted image file with small dimensions to an application or service that uses ImageMagick's -wavelet-denoise operator. No authentication is required if the service processes user-uploaded images. The attack complexity is low, as the operator is commonly invoked via command-line or API calls [4].
Impact
Successful exploitation results in a heap buffer over-read, which may lead to information disclosure (reading sensitive data from memory) or cause a denial of service (crash). The confidentiality impact is rated high, while integrity and availability impacts are low [4].
Mitigation
The vulnerability has been patched in ImageMagick versions 7.1.2-15 and 6.9.13-40. Users should update to these or later versions. The fix is also included in downstream projects such as Magick.NET 14.10.3 [3]. No workarounds are documented; upgrading is the recommended action.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-x86NuGet | < 14.10.3 | 14.10.3 |
Affected products
2<7.1.2-15 and <6.9.13-40+ 1 more
- (no CPE)range: <7.1.2-15 and <6.9.13-40
- (no CPE)range: < 6.9.13-40
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-qpgx-jfcq-r59fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27798ghsaADVISORY
- github.com/ImageMagick/ImageMagick/commit/0377e60b3c0d766bd7271221c95d9ee54f6a3738ghsax_refsource_MISCWEB
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qpgx-jfcq-r59fghsax_refsource_CONFIRMWEB
- github.com/dlemstra/Magick.NET/releases/tag/14.10.3ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.