VYPR
← All advisories
High severity7.5NVD Advisory· Published Jun 10, 2026

CVE-2026-53461

CVE-2026-53461

Description

ImageMagick's ICON decoder has an out-of-bounds heap write vulnerability, leading to crashes, patched in recent versions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ImageMagick's ICON decoder has an out-of-bounds heap write vulnerability, leading to crashes, patched in recent versions.

Vulnerability

An incorrect loop in the ICON decoder within ImageMagick versions prior to 6.9.13-50 and 7.1.2-25 can result in an out-of-bounds heap write, leading to a crash. This vulnerability affects the ICON image format processing [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted ICON image file to a system processing images with ImageMagick. No specific privileges or user interaction are mentioned as required for exploitation in the available references [1].

Impact

Successful exploitation of this vulnerability can lead to a crash of the ImageMagick process, resulting in a denial-of-service condition. The vulnerability allows for an out-of-bounds heap write, which could potentially lead to more severe impacts depending on the context, though specific details are not provided [1].

Mitigation

This vulnerability has been patched in ImageMagick versions 6.9.13-50 and 7.1.2-25. Users are advised to update to these fixed versions or later to mitigate the risk [1].

References
  1. Heap Buffer Over-Write in ICON decoder due to incorrect loop

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • ImageMagick/Imagemagickinferred2 versions
    >=6.9.13,<7.1.2+ 1 more
    • (no CPE)range: >=6.9.13,<7.1.2
    • (no CPE)range: >=6.9.13-50, >=7.1.2-25

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

1