CVE-2026-46520: ImageMagick: Heap Buffer Over-Write in IPL decoder when reading multiple images of different dimensions
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, when reading multiple images with different dimensions an out of bounds heap write can occur. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Heap buffer over-write in ImageMagick's IPL decoder allows a remote, unauthenticated attacker to trigger an out-of-bounds write on the heap by supplying a crafted sequence of images with varying dimensions. The vulnerability is reachable over the network with no authentication required and no user interaction needed. Successful exploitation crashes the ImageMagick process, causing a denial of service. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment fix versions are confirmed upstream.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle ImageMagick. Any image containing an affected version of ImageMagick is flagged automatically in registry scans and CI pipeline checks.
AvailableHarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on their configured ownership rules.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a confirmed fix version appears. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once upstream ships.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the ImageMagick-processing service over the network; no local access or physical presence is needed.
- AuthenticationNot required
No credentials or account are required; the vulnerability is exploitable by any unauthenticated network peer.
- Victim interactionNot required
The attack completes without any action from a user or operator on the target system.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, memory-layout dependencies, or special environmental factors are needed.
Blast Radius
- The ImageMagick worker process crashes, interrupting any image-processing pipeline or service that depends on it.
- Repeated triggering of the crash denies service to all workloads relying on the affected ImageMagick instance.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix has been published yet, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment a confirmed fix version is released. In the interim, customers can apply compensating controls through HarborGuard network policies: isolate containers running ImageMagick from untrusted ingress, restrict accepted image formats at the application layer to exclude IPL input where feasible, and gate multi-image processing behind feature flags if the workload allows. For customers with auto-remediation enabled, once a fix version is published upstream the rebuild, regression test run, and PR against affected workloads will be initiated automatically, with median time from CVE patch publication to merged PR around 90 minutes for high-severity issues in those environments.
- ImageMagick / ImageMagick< 6.9.13-48 · < 7.1.2-23
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H