VYPR
← All advisories
High severityNVD Advisory· Published Mar 9, 2026· Updated Mar 10, 2026

ImageMagick has an uninitialized pointer dereference in JBIG decoder

CVE-2026-28691

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an uninitialized pointer dereference vulnerability exists in the JBIG decoder due to a missing check. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ImageMagick JBIG decoder has an uninitialized pointer dereference due to missing check, leading to potential crash or code execution. Fixed in versions 7.1.2-16 and 6.9.13-41.

Root Cause CVE-2026-28691 is an uninitialized pointer dereference vulnerability in ImageMagick's JBIG decoder [1][2]. The flaw arises from a missing check that allows a pointer to be used without proper initialization, leading to undefined behavior when processing specially crafted JBIG images [4].

Exploitation An attacker can exploit this vulnerability by supplying a malicious JBIG image to an application or service that uses ImageMagick to process images [2]. No authentication is required, and the attack can be performed remotely if the application accepts user-uploaded images [4]. The complexity is low, as the crafted image can be delivered via common channels such as email, web uploads, or file sharing.

Impact Successful exploitation could result in a denial of service due to application crash, or potentially allow arbitrary code execution in the context of the vulnerable process [3][4]. The severity is rated as critical, given the widespread use of ImageMagick in web services, content management systems, and image processing pipelines.

Mitigation The vulnerability is fixed in ImageMagick versions 7.1.2-16 and 6.9.13-41 [2][3]. Users are strongly advised to update immediately. No workarounds are available; disabling JBIG support via policy may reduce risk but is not a complete mitigation.

References
  1. GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
  2. NVD - CVE-2026-28691
  3. Release Magick.NET 14.10.4 · dlemstra/Magick.NET
  4. Uninitialized pointer dereference in JBIG decoder

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Magick.NET-Q16-AnyCPUNuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-AnyCPUNuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-x64NuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-x86NuGet
< 14.10.414.10.4
Magick.NET-Q16-OpenMP-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q16-OpenMP-x64NuGet
< 14.10.414.10.4
Magick.NET-Q16-OpenMP-x86NuGet
< 14.10.414.10.4
Magick.NET-Q16-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q16-x64NuGet
< 14.10.414.10.4
Magick.NET-Q16-x86NuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-OpenMP-x64NuGet
< 14.10.414.10.4
Magick.NET-Q8-AnyCPUNuGet
< 14.10.414.10.4
Magick.NET-Q8-OpenMP-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q8-OpenMP-x64NuGet
< 14.10.414.10.4
Magick.NET-Q8-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q8-x64NuGet
< 14.10.414.10.4
Magick.NET-Q8-x86NuGet
< 14.10.414.10.4

Affected products

2
  • ImageMagick/Imagemagickllm-fuzzy2 versions
    <7.1.2-16, <6.9.13-41+ 1 more
    • (no CPE)range: <7.1.2-16, <6.9.13-41
    • (no CPE)range: >= 7.0.0, < 7.1.2-16

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.