Imagemagick vulnerabilities

CVE-2026-33908 [HIGH] CWE-674 CVE-2026-33908: ImageMagick is free and open-source software used for editing and manipulating digital images. In ve ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, Magick frees the memory of the XML tree via the `DestroyXMLTree()` function; however, this process is executed recursively with no depth limit imposed. When Magick processes an XML file with deeply nested struct

CVE-2026-33901 [HIGH] CWE-122 CVE-2026-33901: ImageMagick is free and open-source software used for editing and manipulating digital images. In ve ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

CVE-2026-40312 [MEDIUM] CWE-193 CVE-2026-40312: ImageMagick is free and open-source software used for editing and manipulating digital images. In ve ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. This issue has been fixed in version 7.1.2-19.

CVE-2026-34238 [MEDIUM] CWE-190 CVE-2026-34238: ImageMagick is free and open-source software used for editing and manipulating digital images. In ve ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, an integer overflow in the despeckle operation causes a heap buffer overflow on 32-bit builds that will result in an out of bounds write. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

CVE-2026-33899 [MEDIUM] CWE-122 CVE-2026-33899: ImageMagick is free and open-source software used for editing and manipulating digital images. In ve ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-189 and 6.9.13-44, when `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

CVE-2026-33900 [MEDIUM] CWE-190 CVE-2026-33900: ImageMagick is free and open-source software used for editing and manipulating digital images. In ve ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-189 and 6.9.13-44, the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. This issue has been fixed in versions 6.9.13-44 a

CVE-2026-40310 [MEDIUM] CWE-122 CVE-2026-40310: ImageMagick is free and open-source software used for editing and manipulating digital images. Versi ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below both 7.1.2-19 and 6.9.13-44, contain a heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

CVE-2026-33905 [MEDIUM] CWE-125 CVE-2026-33905: ImageMagick is free and open-source software used for editing and manipulating digital images. In ve ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. This issue has been fixed in versions 6.9.13-44 and 7

CVE-2026-40169 [MEDIUM] CWE-122 CVE-2026-40169: ImageMagick is free and open-source software used for editing and manipulating digital images. In ve ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, a crafted image could result in an out of bounds heap write when writing a yaml or json output, resulting in a crash. This issue has been fixed in version 7.1.2-19.

CVE-2026-33902 [MEDIUM] CWE-674 CVE-2026-33902: ImageMagick is free and open-source software used for editing and manipulating digital images. In ve ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression. This issue has been fixed in versions 6.9.13-44 and 7.1.2-1

CVE-2026-40311 [MEDIUM] CWE-416 CVE-2026-40311: ImageMagick is free and open-source software used for editing and manipulating digital images. Versi ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below 7.1.2-19 and 6.9.13-44 contain a heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

CVE-2026-40183 [MEDIUM] CWE-122 CVE-2026-40183: ImageMagick is free and open-source software used for editing and manipulating digital images. In ve ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, the JXL encoder has an heap write overflow when a user specifies that the image should be encoded as 16 bit floats. This issue has been fixed in version 7.1.2-19.

CVE-2026-33536 [MEDIUM] CWE-121 CVE-2026-33536: ImageMagick is free and open-source software used for editing and manipulating digital images. Prior ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. Versions 7.1.2-18 and 6.9.13-43 patch the issue.

CVE-2026-33535 [MEDIUM] CWE-787 CVE-2026-33535: ImageMagick is free and open-source software used for editing and manipulating digital images. Prior ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, an out-of-bounds write of a zero byte exists in the X11 `display` interaction path that could lead to a crash. Versions 7.1.2-18 and 6.9.13-43 patch the issue.

CVE-2026-32636 [MEDIUM] CWE-787 CVE-2026-32636: ImageMagick is free and open-source software used for editing and manipulating digital images. Prior ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-17 and 6.9.13-42, the NewXMLTree method contains a bug that could result in a crash due to an out of write bounds of a single zero byte. Versions 7.1.2-17 and 6.9.13-42 fix the issue.

CVE-2026-32259 [MEDIUM] CWE-121 CVE-2026-32259: ImageMagick is free and open-source software used for editing and manipulating digital images. Prior ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-16 and 6.9.13-41, when a memory allocation fails in the sixel encoder it would be possible to write past the end of a buffer on the stack. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.

CVE-2026-31853 [MEDIUM] CWE-122 CVE-2026-31853: ImageMagick is free and open-source software used for editing and manipulating digital images. Prior ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-16 and 6.9.13-41, an overflow on 32-bit systems can cause a crash in the SFW decoder when processing extremely large images. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.

CVE-2026-28693 [HIGH] CWE-125 CVE-2026-28693: ImageMagick is free and open-source software used for editing and manipulating digital images. Prior ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an integer overflow in DIB coder can result in out of bounds read or write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.

CVE-2026-30929 [HIGH] CWE-121 CVE-2026-30929: ImageMagick is free and open-source software used for editing and manipulating digital images. Prior ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, MagnifyImage uses a fixed-size stack buffer. When using a specific image it is possible to overflow this buffer and corrupt the stack. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.

CVE-2026-28494 [HIGH] CWE-121 CVE-2026-28494: ImageMagick is free and open-source software used for editing and manipulating digital images. Prior ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resu