Moderate severityNVD Advisory· Published Mar 9, 2026· Updated Mar 10, 2026

ImageMagick has a write heap-buffer-overflow in PCL encoder via undersized output buffer

CVE-2026-28686

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, A heap-buffer-overflow vulnerability exists in the PCL encode due to an undersized output buffer allocation. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-buffer-overflow in ImageMagick's PCL encoder due to undersized output buffer allocation can lead to memory corruption.

Vulnerability

Overview

A heap-buffer-overflow vulnerability exists in the PCL (Printer Control Language) encoder of ImageMagick, a widely used open-source image processing suite. The root cause is an undersized output buffer allocation during PCL encoding, which can lead to writing beyond the allocated memory region [2]. This issue affects versions prior to 7.1.2-16 and 6.9.13-41 [1].

Exploitation

An attacker can trigger this vulnerability by providing a specially crafted image file that, when processed by ImageMagick's PCL encoder, causes a write beyond the bounds of the allocated heap buffer. The attack vector is network-based, with low complexity and no privileges required, but user interaction is needed (e.g., opening the malicious file) [4]. The vulnerability can be exploited remotely if the attacker can deliver the crafted image to a system using ImageMagick.

Impact

Successful exploitation could lead to memory corruption, potentially allowing an attacker to cause a denial of service crash or, in some scenarios, achieve arbitrary code execution. The CVSS assessment indicates potential impacts on confidentiality, integrity, and availability [4].

Mitigation

The vulnerability is fixed in ImageMagick versions 7.1.2-16 and 6.9.13-41 [2]. Users should update to these versions or later. The fix is also included in downstream libraries such as Magick.NET 14.10.4 [3]. No workarounds are documented for unpatched versions.

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Magick.NET-Q16-AnyCPUNuGet	< 14.10.4	14.10.4
Magick.NET-Q16-HDRI-AnyCPUNuGet	< 14.10.4	14.10.4
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet	< 14.10.4	14.10.4
Magick.NET-Q16-HDRI-arm64NuGet	< 14.10.4	14.10.4
Magick.NET-Q16-HDRI-x64NuGet	< 14.10.4	14.10.4
Magick.NET-Q16-HDRI-x86NuGet	< 14.10.4	14.10.4
Magick.NET-Q16-OpenMP-arm64NuGet	< 14.10.4	14.10.4
Magick.NET-Q16-OpenMP-x64NuGet	< 14.10.4	14.10.4
Magick.NET-Q16-OpenMP-x86NuGet	< 14.10.4	14.10.4
Magick.NET-Q16-arm64NuGet	< 14.10.4	14.10.4
Magick.NET-Q16-x64NuGet	< 14.10.4	14.10.4
Magick.NET-Q16-x86NuGet	< 14.10.4	14.10.4
Magick.NET-Q16-HDRI-OpenMP-x64NuGet	< 14.10.4	14.10.4
Magick.NET-Q8-AnyCPUNuGet	< 14.10.4	14.10.4
Magick.NET-Q8-OpenMP-arm64NuGet	< 14.10.4	14.10.4
Magick.NET-Q8-OpenMP-x64NuGet	< 14.10.4	14.10.4
Magick.NET-Q8-arm64NuGet	< 14.10.4	14.10.4
Magick.NET-Q8-x64NuGet	< 14.10.4	14.10.4
Magick.NET-Q8-x86NuGet	< 14.10.4	14.10.4

Affected products

ImageMagick/Imagemagickllm-fuzzy2 versions
<7.1.2-16, <6.9.13-41+ 1 more
- (no CPE)range: <7.1.2-16, <6.9.13-41
- (no CPE)range: >= 7.0.0, < 7.1.2-16

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-467j-76j7-5885ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-28686ghsaADVISORY
github.com/ImageMagick/ImageMagick/security/advisories/GHSA-467j-76j7-5885ghsax_refsource_CONFIRMWEB
github.com/dlemstra/Magick.NET/releases/tag/14.10.4ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000