CVE-2026-28692
Heap Over-Read in ImageMagick MAT Decoder Causes Memory Exposure
Publication date: 2026-03-10
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | to 6.9.13-41 (exc) |
| imagemagick | imagemagick | From 7.0.0-0 (inc) to 7.1.2-16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update ImageMagick to a fixed version. The vulnerability is patched in versions 7.1.2-16 and 6.9.13-41.
- Upgrade ImageMagick to version 7.1.2-16 or later if you are using the 7.x branch.
- Upgrade ImageMagick to version 6.9.13-41 or later if you are using the 6.x branch.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
Can you explain this vulnerability to me?
CVE-2026-28692 is a moderate severity vulnerability in the MAT decoder component of ImageMagick, a software used for editing and manipulating digital images.
The vulnerability arises from incorrect parenthesization in 32-bit arithmetic operations within the MAT decoder, which leads to a 32-bit integer overflow.
This overflow causes a heap buffer over-read, meaning the program reads beyond the allocated memory buffer, potentially causing unexpected behavior or crashes.
The issue has been confirmed by an AddressSanitizer report showing a heap-buffer-overflow error triggered by an 8-byte read at an invalid heap address during decoding.
This vulnerability affects ImageMagick versions prior to 7.1.2-16 and 6.9.13-41 and has been fixed in those versions.
How can this vulnerability impact me? :
This vulnerability can impact you by causing a heap buffer over-read during image decoding, which may lead to application crashes or denial of service.
The CVSS score indicates a low confidentiality impact, no integrity impact, and a low availability impact, meaning sensitive data exposure or data modification is unlikely.
However, since the attack vector is network-based and no privileges or user interaction are required, an attacker could exploit this remotely to disrupt services.