CVE-2026-23876
ImageMagick is free and open-source software used for editing and
Publication date: 2026-01-20
Last updated on: 2026-01-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Affected Vendors & Products
| Vendor | Product | Version |
|---|---|---|
| imagemagick | imagemagick | to 6.9.13-38 (exc) |
| imagemagick | imagemagick | From 7.0.0-0 (inc) to 7.1.2-13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23876 is a high-severity heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) of ImageMagick. It occurs because of an integer truncation error during buffer size calculation: the number of image rows (image->rows) is truncated from a larger size_t to an unsigned int when allocating memory, but the code writes data using the original larger value. This mismatch allows an attacker to write beyond the allocated heap buffer when processing a maliciously crafted XBM image file. The attacker controls both the size of the overflow and the data written, making it exploitable through any operation that reads or identifies an image, such as image upload and processing pipelines. [1]
How can this vulnerability impact me? :
This vulnerability can lead to a heap buffer overflow, which may allow remote attackers to execute arbitrary code, cause a denial of service, or corrupt memory by submitting specially crafted XBM images. Since the vulnerability can be triggered by any image reading or identification operation, it poses a risk to systems that process images, including web services, content management systems, and CI/CD pipelines using ImageMagick. The impact includes high confidentiality, integrity, and availability risks without requiring user interaction or privileges. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for the processing of maliciously crafted XBM image files that trigger heap buffer overflows in ImageMagick versions prior to 7.1.2-13 and 6.9.13-38. Detection can involve using AddressSanitizer (ASan) or similar memory error detection tools to identify heap-buffer-overflow errors during image processing. Additionally, scanning for usage of vulnerable ImageMagick versions and checking logs for errors related to 'CorruptImageError' or improper image headers during image uploads or processing can help detect exploitation attempts. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading ImageMagick to versions 7.1.2-13 or 6.9.13-38 or later, which contain patches that add overflow checks and prevent out-of-bounds writes in the XBM image decoder. If upgrading is not immediately possible, restricting or disabling processing of XBM image files, especially from untrusted sources, can reduce risk. Applying the patch that introduces safe memory allocation and overflow checks in the ReadXBMImage function is also recommended. [1, 2]