VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 9, 2026· Updated Mar 10, 2026

ImageMagick has a heap buffer over-read via 32-bit integer overflow in MAT decoder

CVE-2026-28692

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, MAT decoder uses 32-bit arithmetic due to incorrect parenthesization resulting in a heap over-read. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ImageMagick MAT decoder heap over-read due to 32-bit integer overflow from incorrect parenthesization; fixed in versions 7.1.2-16 and 6.9.13-41.

Root

Cause

ImageMagick, a widely used open-source image processing suite [1], contains a heap over-read vulnerability in its MAT decoder. The issue arises from incorrect parenthesization in arithmetic operations, causing the decoder to use 32-bit arithmetic that can overflow. This leads to an undersized buffer allocation and subsequent heap over-read when processing crafted MAT files [2][4].

Exploitation

The vulnerability can be triggered remotely by supplying a specially crafted MAT image file. No authentication or user interaction is required beyond opening the file, making it exploitable in scenarios where ImageMagick processes user-uploaded images (e.g., web applications). The attack complexity is low, and the attack vector is network [4].

Impact

Successful exploitation results in a heap over-read, potentially disclosing sensitive memory contents (confidentiality high) and causing application crashes (availability high). The CVSS v4.0 base score is 8.2 (High) [4]. Integrity is not affected.

Mitigation

The vulnerability is fixed in ImageMagick versions 7.1.2-16 and 6.9.13-41 [2]. Users should update immediately. The fix is also included in Magick.NET 14.10.4 [3]. No workarounds are documented.

References
  1. GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
  2. NVD - CVE-2026-28692
  3. Release Magick.NET 14.10.4 · dlemstra/Magick.NET
  4. Heap buffer over-read via 32-bit integer overflow in MAT decoder

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Magick.NET-Q16-AnyCPUNuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-AnyCPUNuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-OpenMP-x64NuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-x64NuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-x86NuGet
< 14.10.414.10.4
Magick.NET-Q16-OpenMP-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q16-OpenMP-x64NuGet
< 14.10.414.10.4
Magick.NET-Q16-OpenMP-x86NuGet
< 14.10.414.10.4
Magick.NET-Q16-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q16-x64NuGet
< 14.10.414.10.4
Magick.NET-Q16-x86NuGet
< 14.10.414.10.4
Magick.NET-Q8-AnyCPUNuGet
< 14.10.414.10.4
Magick.NET-Q8-OpenMP-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q8-OpenMP-x64NuGet
< 14.10.414.10.4
Magick.NET-Q8-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q8-x64NuGet
< 14.10.414.10.4
Magick.NET-Q8-x86NuGet
< 14.10.414.10.4

Affected products

2
  • ImageMagick/Imagemagickllm-fuzzy2 versions
    <=7.1.2-15, <=6.9.13-40+ 1 more
    • (no CPE)range: <=7.1.2-15, <=6.9.13-40
    • (no CPE)range: >= 7.0.0, < 7.1.2-16

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.