CVE-2026-27798Out-of-bounds Read in Imagemagick

CWE-125Out-of-bounds ReadCWE-126Buffer Over-read8 documents7 sources
Severity
7.1HIGHNVD
CNA4.0
EPSS
0.0%
top 97.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
ImagemagickDlemstra Magick.net
Timeline
PublishedFeb 26

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability occurs when processing an image with small dimension using the `-wavelet-denoise` operator. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages4 packages

CVEListV5imagemagick/imagemagick< 6.9.13-40+1
NVDimagemagick/imagemagick7.0.0-07.1.2-15+1
Debianimagemagick/imagemagick< 8:6.9.11.60+dfsg-1.3+deb11u10+3
NVDdlemstra/magick.net< 14.10.3

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
CVE-2026-27798: ImageMagick is free and open-source software used for editing and manipulating digital images2026-02-26
GHSA
ImageMagick: Heap Buffer Over-read in WaveletDenoise when processing small images2026-02-25
CVEList
ImageMagick: Heap Buffer Over-read in WaveletDenoise when processing small images2026-02-25
OSV
ImageMagick: Heap Buffer Over-read in WaveletDenoise when processing small images2026-02-25

📋Vendor Advisories

2
Red Hat
ImageMagick: ImageMagick: Information disclosure via heap buffer over-read when processing images2026-02-25
Debian
CVE-2026-27798: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-27798 Impact, Exploitability, and Mitigation Steps | Wiz