ImageMagick has a heap buffer overflow in WriteXWDImage due to CARD32 arithmetic overflow in bytes_per_line calculation
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a 32-bit unsigned integer overflow in the XWD (X Windows) encoder can cause an undersized heap buffer allocation. When writing a extremely large image an out of bounds heap write can occur. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An integer overflow in ImageMagick's XWD encoder leads to undersized heap allocation and out-of-bounds write when processing extremely large images.
Root
Cause
A 32-bit unsigned integer overflow in the XWD (X Windows) encoder causes a heap buffer allocation that is too small [2]. When writing an extremely large image, this undersized allocation leads to an out-of-bounds heap write [2]. The flaw is present in ImageMagick versions prior to 7.1.2-16 and 6.9.13-41 [3].
Exploitation
The vulnerability is triggered by providing a specially crafted, extremely large image file to the XWD encoder for processing [2]. Writing such an image causes the overflow, resulting in the buffer under-allocation. No authentication is required if a service or script processes user-supplied images with ImageMagick.
Impact
An attacker can exploit the out-of-bounds heap write to corrupt adjacent memory. This can potentially lead to arbitrary code execution or a denial of service condition by crashing the application. The heap-buffer-overflow was confirmed using AddressSanitizer, demonstrating a write of size 1 past the allocated buffer [3].
Mitigation
The vulnerability has been fixed in ImageMagick versions 7.1.2-16 and 6.9.13-41 [2][3]. Users should update to these patched versions as soon as possible. For systems that cannot be immediately updated, a workaround is to restrict processing of untrusted XWD images through the security policy policy.xml.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-x86NuGet | < 14.10.4 | 14.10.4 |
Affected products
2<7.1.2-16 (7.x) and <6.9.13-41 (6.x)+ 1 more
- (no CPE)range: <7.1.2-16 (7.x) and <6.9.13-41 (6.x)
- (no CPE)range: >= 7.0.0, < 7.1.2-16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-qpg4-j99f-8xcgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30937ghsaADVISORY
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qpg4-j99f-8xcgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.