SB2026051818 - Multiple vulnerabilities in ImageMagick
Published: May 18, 2026 Updated: May 31, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2026-46521)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error in MIFF encoder when using LZMA compression. A remote attacker can trigger an out-of-bounds write and perform a denial of service (DoS) attack on the system.
2) Stack-based buffer overflow (CVE-ID: CVE-2026-46557)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in fx operation. A local attacker can trigger stack-based buffer overflow and cause a denial of service condition on the target system.
3) Out-of-bounds write (CVE-ID: CVE-2026-46559)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in the JP2 encoder. A local attacker can trigger an out-of-bounds write and perform a denial of service (DoS) attack on the target system.
4) Use-after-free (CVE-ID: CVE-2026-46523)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in MSL decoder. A local attacker can perform a denial of service (DoS) attack.
5) Infinite loop (CVE-ID: CVE-2026-46522)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in the MIFF decoder. A remote attacker can consume all available system resources and cause denial of service conditions.
6) Out-of-bounds write (CVE-ID: CVE-2026-46520)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error in IPL decoder when reading multiple images of different dimensions. A remote attacker can trigger an out-of-bounds write and perform a denial of service (DoS) attack on the system.
7) Race condition (CVE-ID: CVE-2026-46693)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged user to disclose sensitive information.
The vulnerability exists due to a race condition in the distributed pixel cache server when handling connections to the magick -distribute-cache service. A local privileged user can win the race condition to hijack a file descriptor in the server process to disclose sensitive information.
8) Heap-based buffer overflow (CVE-ID: CVE-2026-46692)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged user to cause a denial of service.
The vulnerability exists due to heap-based buffer overflow in the distributed pixel cache server when handling connections to the magick -distribute-cache service. A local privileged user can connect to the service to cause a denial of service.
9) Missing Authentication for Critical Function (CVE-ID: CVE-2026-47165)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged user to disclose sensitive information.
The vulnerability exists due to improper authentication in distributed pixel cache server when handling distributed pixel cache connections. A local privileged user can access the service without a challenge-response authentication model to disclose sensitive information.
10) Out-of-bounds read (CVE-ID: CVE-2026-47166)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged user to disclose sensitive information and cause a denial of service.
The vulnerability exists due to out-of-bounds read in the distributed pixel cache server when handling connections to the magick -distribute-cache service. A local privileged user can connect to the service to disclose sensitive information and cause a denial of service.
11) Path traversal (CVE-ID: CVE-2026-49219)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to path traversal in filename parsing when processing a filename that uses a symlink. A local user can supply a crafted filename to disclose sensitive information.
The issue can bypass configured security policy restrictions on file access.
12) Input validation error (CVE-ID: CVE-2026-49218)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the DCM decoder when parsing crafted DCM images. A remote attacker can supply a specially crafted DCM image to cause a denial of service.
The issue can produce an image with invalid dimensions, which may lead to crashes in subsequent operations.
13) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: N/A)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to create or truncate files that are disallowed by the security policy.
The vulnerability exists due to time-of-check time-of-use race condition in the policy check logic when handling file creation or truncation operations. A local user can trigger an incorrect check to create or truncate files that are disallowed by the security policy.
This is relevant for sandboxed conversion services that rely on ImageMagick path policies for write-boundary enforcement.
Remediation
Install update from vendor's website.
References
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jcqp-6r6f-3mfx
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rcr6-g7jc-f57g
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-533m-3wf6-c33v
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5r4x-w6p5-222q
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7gg8-qqx7-92g5
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-36wm-hprc-mcf5
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-4g75-9r48-jf92
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p93h-f2jc-477j
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-2rgj-gx5x-f62w
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6gxq-f64p-5w6f
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xcjm-wqff-m669
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8pj9-6897-74xc
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gm48-c7f2-v67p