CVE-2026-28691
Received Received - Intake
Uninitialized Pointer Dereference in ImageMagick JBIG Decoder

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an uninitialized pointer dereference vulnerability exists in the JBIG decoder due to a missing check. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28691
EUVD
EUVD-2026-10385
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick to 6.9.13-41 (exc)
imagemagick imagemagick From 7.0.0-0 (inc) to 7.1.2-16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-824 The product accesses or uses a pointer that has not been initialized.
CWE-252 The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28691 is a high-severity vulnerability affecting the JBIG decoder component of ImageMagick, a software used for editing and manipulating digital images.

The vulnerability is caused by an uninitialized pointer dereference due to a missing check in the decoder code. This means the software uses pointers that have not been properly initialized, which can lead to unexpected behavior.

An attacker can exploit this flaw remotely over a network without needing any privileges or user interaction.

The issue is related to CWE-252 (Unchecked Return Value) and CWE-824 (Access of Uninitialized Pointer).

The vulnerability has been fixed in ImageMagick versions 7.1.2-16 and 6.9.13-41.

Impact Analysis

This vulnerability can impact you by causing a denial of service (DoS) condition.

Specifically, exploiting the uninitialized pointer dereference can crash the affected ImageMagick component, making the service unavailable.

There is no impact on confidentiality or integrity, so data theft or modification is not a concern with this vulnerability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects ImageMagick versions prior to 7.1.2-16 and 6.9.13-41. To detect if your system is vulnerable, you should first check the installed version of ImageMagick.

  • Run the command `magick -version` or `convert -version` to determine the installed ImageMagick version.
  • If the version is older than 7.1.2-16 or 6.9.13-41, your system is vulnerable.

Since the vulnerability is a remote denial of service via the JBIG decoder, monitoring for crashes or service interruptions related to ImageMagick when processing JBIG images may also indicate exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade ImageMagick to a fixed version.

  • Update ImageMagick to version 7.1.2-16 or later, or 6.9.13-41 or later, where the vulnerability has been patched.
  • If immediate upgrade is not possible, consider restricting or disabling processing of JBIG images to prevent triggering the vulnerable code.
  • Monitor ImageMagick services for crashes or abnormal behavior that could indicate exploitation attempts.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28691. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart