ImageMagick has a heap buffer over-write on 32-bit systems in SFW decoder
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-16 and 6.9.13-41, an overflow on 32-bit systems can cause a crash in the SFW decoder when processing extremely large images. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An integer overflow in ImageMagick's SFW decoder on 32-bit systems can cause a crash when processing extremely large images, fixed in versions 7.1.2-16 and 6.9.13-41.
Vulnerability
Overview
CVE-2026-31853 describes an integer overflow vulnerability in the SFW (Sun Rasterfile) decoder of ImageMagick, a widely used open-source image processing suite. The flaw occurs specifically on 32-bit systems when the decoder attempts to handle extremely large images, leading to a heap buffer over-write can be triggered, leading to a crash. The root cause is an arithmetic overflow during size calculations, which is not properly checked before memory allocation or data copying [1][2][4].
Exploitation and
Attack Surface
An attacker can exploit this vulnerability by providing a specially crafted, oversized SFW image file to an application or service that uses ImageMagick to process images. No authentication is required, authentication is required, and the attack can be delivered remotely if the application accepts user-uploaded images. The vulnerability is triggered during decoding, meaning any service that automatically processes images (e.g., web upload handlers, thumbnail generators) could be at risk. The attack complexity is considered low, as it only requires crafting a malformed image file [2][4].
Impact
Successful exploitation results in a heap buffer over-write, which can cause a denial of service disruption (denial of service) due to application crash. In some cases, this type of memory corruption could potentially be leveraged for arbitrary code execution, though the primary impact described is a crash. The vulnerability affects the availability of the system's availability, and depending on the context, could also lead to information disclosure or integrity compromise [2][4].
Mitigation
The vulnerability has been patched in ImageMagick versions 7.1.2-16 and 6.9.13-41, released on March 8, 2026. Users are strongly advised to update to these versions or later. For those using the .NET wrapper Magick.NET, version 14.10.4 includes the fix. No workarounds are mentioned, but limiting image upload sizes and using security policies to restrict SFW files can reduce risk [1][3][4].
- GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
- NVD - CVE-2026-31853
- Release Magick.NET 14.10.4 · dlemstra/Magick.NET
- Heap buffer over-write on 32-bit systems in SFW decoder
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-x86NuGet | < 14.10.4 | 14.10.4 |
Affected products
2<=7.1.2-16, <=6.9.13-41+ 1 more
- (no CPE)range: <=7.1.2-16, <=6.9.13-41
- (no CPE)range: >= 7.0.0, < 7.1.2-16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-56jp-jfqg-f8f4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31853ghsaADVISORY
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-56jp-jfqg-f8f4ghsax_refsource_CONFIRMWEB
- github.com/dlemstra/Magick.NET/releases/tag/14.10.4ghsaWEB
News mentions
0No linked articles in our index yet.