ImageMagick allows attackers to write beyond memory limits in image files

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.5

ImageMagick allows attackers to write beyond memory limits in image files

CVE-2026-28493 GHSA-r39q-jr8h-gcq2

Summary

An attacker can create a malicious image file that exploits a weakness in the way ImageMagick handles certain types of images, potentially allowing them to execute arbitrary code or crash the application. This affects systems that use ImageMagick to process or open image files. To mitigate this risk, ensure you're running the latest version of ImageMagick and only open trusted image files from known sources.

What to do

Update magick.net-q16-anycpu to version 14.10.4.
Update magick.net-q16-hdri-anycpu to version 14.10.4.
Update magick.net-q16-hdri-openmp-arm64 to version 14.10.4.
Update magick.net-q16-hdri-arm64 to version 14.10.4.
Update magick.net-q16-hdri-x64 to version 14.10.4.
Update magick.net-q16-hdri-x86 to version 14.10.4.
Update magick.net-q16-openmp-arm64 to version 14.10.4.
Update magick.net-q16-openmp-x64 to version 14.10.4.
Update magick.net-q16-openmp-x86 to version 14.10.4.
Update magick.net-q16-arm64 to version 14.10.4.
Update magick.net-q16-x64 to version 14.10.4.
Update magick.net-q16-x86 to version 14.10.4.
Update magick.net-q16-hdri-openmp-x64 to version 14.10.4.
Update magick.net-q8-anycpu to version 14.10.4.
Update magick.net-q8-openmp-arm64 to version 14.10.4.
Update magick.net-q8-openmp-x64 to version 14.10.4.
Update magick.net-q8-arm64 to version 14.10.4.
Update magick.net-q8-x64 to version 14.10.4.
Update magick.net-q8-x86 to version 14.10.4.

Affected software

Vendor	Product	Affected versions	Fix available
–	magick.net-q16-anycpu	<= 14.10.4	14.10.4
–	magick.net-q16-hdri-anycpu	<= 14.10.4	14.10.4
–	magick.net-q16-hdri-openmp-arm64	<= 14.10.4	14.10.4
–	magick.net-q16-hdri-arm64	<= 14.10.4	14.10.4
–	magick.net-q16-hdri-x64	<= 14.10.4	14.10.4
–	magick.net-q16-hdri-x86	<= 14.10.4	14.10.4
–	magick.net-q16-openmp-arm64	<= 14.10.4	14.10.4
–	magick.net-q16-openmp-x64	<= 14.10.4	14.10.4
–	magick.net-q16-openmp-x86	<= 14.10.4	14.10.4
–	magick.net-q16-arm64	<= 14.10.4	14.10.4
–	magick.net-q16-x64	<= 14.10.4	14.10.4
–	magick.net-q16-x86	<= 14.10.4	14.10.4
–	magick.net-q16-hdri-openmp-x64	<= 14.10.4	14.10.4
–	magick.net-q8-anycpu	<= 14.10.4	14.10.4
–	magick.net-q8-openmp-arm64	<= 14.10.4	14.10.4
–	magick.net-q8-openmp-x64	<= 14.10.4	14.10.4
–	magick.net-q8-arm64	<= 14.10.4	14.10.4
–	magick.net-q8-x64	<= 14.10.4	14.10.4
–	magick.net-q8-x86	<= 14.10.4	14.10.4
imagemagick	imagemagick	<= 7.1.2-16	–

Original title

ImageMagick has Integer Overflow leading to out of bounds write in SIXEL decoder

Original description

An integer overflow vulnerability exists in the SIXEL decoer. The vulnerability allows an attacker to perform an out of bounds via a specially crafted mage.

nvd CVSS3.1 6.5

Vulnerability type

CWE-190 Integer Overflow

Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026