ImageMagick has a heap Buffer Over-Read in BilateralBlurImage
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16, BilateralBlurImage contains a heap buffer over-read caused by an incorrect conversion. When processing a crafted image with the -bilateral-blur operation an out of bounds read can occur. This vulnerability is fixed in 7.1.2-16.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick BilateralBlurImage has a heap buffer over-read via crafted images; fixed in 7.1.2-16.
CVE-2026-30935 is a heap buffer over-read vulnerability in ImageMagick's BilateralBlurImage function, caused by an incorrect conversion during image processing [2]. The bug exists prior to version 7.1.2-16 and can be triggered when a user applies the -bilateral-blur operation on a specially crafted image.
Exploitation requires an attacker to supply a malicious image to a system using ImageMagick, either via command-line invocation or through applications that rely on the library [4]. No authentication is needed if the processing is automated. The vulnerability results in an out-of-bounds read, which may expose sensitive heap memory or lead to a crash.
An attacker could potentially use the information disclosed by the read to bypass memory protections or gather internal data. While the advisory does not confirm code execution, such over-reads can be exploited in combination with other bugs [1]. The issue is fixed in ImageMagick 7.1.2-16, released on March 8, 2026, and downstream projects like Magick.NET have been updated accordingly [3].
- GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
- NVD - CVE-2026-30935
- Release Magick.NET 14.10.4 · dlemstra/Magick.NET
- Heap Buffer Over-Read in BilateralBlurImage
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-x86NuGet | < 14.10.4 | 14.10.4 |
Affected products
2<7.1.2-16+ 1 more
- (no CPE)range: <7.1.2-16
- (no CPE)range: < 7.1.2-16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-cqw9-w2m7-r2m2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30935ghsaADVISORY
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cqw9-w2m7-r2m2ghsax_refsource_CONFIRMWEB
- github.com/dlemstra/Magick.NET/releases/tag/14.10.4ghsaWEB
News mentions
0No linked articles in our index yet.