VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 9, 2026· Updated Mar 10, 2026

ImageMagick has a heap-based buffer overflow in UHDR encoder

CVE-2026-30931

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16, a heap-based buffer overflow in the UHDR encoder can happen due to truncation of a value and it would allow an out of bounds write. This vulnerability is fixed in 7.1.2-16.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-based buffer overflow in ImageMagick's UHDR encoder, caused by value truncation, allows out-of-bounds write and is fixed in version 7.1.2-16.

Vulnerability

Overview

CVE-2026-30931 describes a heap-based buffer overflow vulnerability in the UHDR encoder of ImageMagick, a widely used open-source image processing suite [1]. The root cause is a truncation of a value during encoding, which leads to an out-of-bounds write on the heap [2]. This flaw exists in versions prior to 7.1.2-16 [2].

Exploitation and

Attack Surface

An attacker can exploit this vulnerability by providing a specially crafted image file that triggers the UHDR encoder path [4]. The attack vector is network-based, requiring no privileges and no user interaction, making it remotely exploitable [4]. The complexity is low, as the overflow occurs during normal processing of the image [4].

Impact

Successful exploitation allows an attacker to write data beyond the allocated heap buffer, potentially leading to memory corruption [2]. This can result in denial of service, or in more severe cases, arbitrary code execution depending on the heap layout and mitigations [4]. The vulnerability affects confidentiality, integrity, and availability [4].

Mitigation

The vulnerability is fixed in ImageMagick version 7.1.2-16, released on 2026-03-08 [3]. Users are strongly advised to update to this version or later [2]. No workarounds are mentioned, but applying the security policy recommendations from ImageMagick can help reduce risk [1]. The issue is also tracked as GHSA-h95r-c8c7-mrwx [4].

References
  1. GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
  2. NVD - CVE-2026-30931
  3. Release Magick.NET 14.10.4 · dlemstra/Magick.NET
  4. Heap-based buffer overflow in UHDR encoder

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Magick.NET-Q16-AnyCPUNuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-AnyCPUNuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-x64NuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-x86NuGet
< 14.10.414.10.4
Magick.NET-Q16-OpenMP-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q16-OpenMP-x64NuGet
< 14.10.414.10.4
Magick.NET-Q16-OpenMP-x86NuGet
< 14.10.414.10.4
Magick.NET-Q16-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q16-x64NuGet
< 14.10.414.10.4
Magick.NET-Q16-x86NuGet
< 14.10.414.10.4
Magick.NET-Q16-HDRI-OpenMP-x64NuGet
< 14.10.414.10.4
Magick.NET-Q8-AnyCPUNuGet
< 14.10.414.10.4
Magick.NET-Q8-OpenMP-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q8-OpenMP-x64NuGet
< 14.10.414.10.4
Magick.NET-Q8-arm64NuGet
< 14.10.414.10.4
Magick.NET-Q8-x64NuGet
< 14.10.414.10.4
Magick.NET-Q8-x86NuGet
< 14.10.414.10.4

Affected products

2
  • ImageMagick/Imagemagickllm-fuzzy2 versions
    <=7.1.2-16+ 1 more
    • (no CPE)range: <=7.1.2-16
    • (no CPE)range: < 7.1.2-16

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.