ImageMagick has a Integer Overflow leading to out of bounds write in SIXEL decoder
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16, an integer overflow vulnerability exists in the SIXEL decoer. The vulnerability allows an attacker to perform an out of bounds via a specially crafted image. This vulnerability is fixed in 7.1.2-16.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in ImageMagick's SIXEL decoder allows out-of-bounds write via crafted image, fixed in 7.1.2-16.
Vulnerability
CVE-2026-28493 is an integer overflow vulnerability in the SIXEL decoder of ImageMagick, a widely used image processing library [1]. The flaw exists in versions prior to 7.1.2-16 and can be triggered when processing a specially crafted image, leading to an out-of-bounds write [2].
Exploitation
An attacker can exploit this vulnerability by supplying a malicious SIXEL image to ImageMagick. No authentication is required, and the attack can be delivered remotely if the application processes user-supplied images. The integer overflow causes incorrect memory allocation or bounds checking, resulting in a write beyond the allocated buffer [4].
Impact
Successful exploitation could allow an attacker to corrupt memory, potentially leading to arbitrary code execution or denial of service. The severity is elevated due to the lack of authentication and the potential for remote exploitation [2].
Mitigation
The vulnerability is patched in ImageMagick version 7.1.2-16 [3]. Users should update to this version or later. There are no known workarounds; processing untrusted images with older versions is not recommended [4].
- GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
- NVD - CVE-2026-28493
- Release Magick.NET 14.10.4 · dlemstra/Magick.NET
- Integer Overflow lead to out of bounds write in SIXEL decoder
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-x86NuGet | < 14.10.4 | 14.10.4 |
Affected products
2<7.1.2-16+ 1 more
- (no CPE)range: <7.1.2-16
- (no CPE)range: < 7.1.2-16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-r39q-jr8h-gcq2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28493ghsaADVISORY
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r39q-jr8h-gcq2ghsax_refsource_CONFIRMWEB
- github.com/dlemstra/Magick.NET/releases/tag/14.10.4ghsaWEB
News mentions
0No linked articles in our index yet.