CVE-2026-30883
Received Received - Intake
Heap Overflow in ImageMagick PNG Encoding via Large Image Profile

Publication date: 2026-03-10

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an extremely large image profile could result in a heap overflow when encoding a PNG image. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30883
EUVD
EUVD-2026-10391
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick to 6.9.13-41 (exc)
imagemagick imagemagick From 7.0.0-0 (inc) to 7.1.2-16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30883 is a moderate severity vulnerability affecting ImageMagick versions prior to 7.1.2-16 and 6.9.13-41. It occurs in the PNG encoder component when processing an extremely large image profile, which can cause a heap buffer overwrite during encoding.

This heap overflow condition can lead to denial of service or potential integrity compromise. Exploiting this vulnerability requires local access and has a high attack complexity, but does not require any privileges or user interaction.

Impact Analysis

This vulnerability can impact you by causing a denial of service due to the heap overflow during PNG image encoding.

There is also a potential for integrity compromise, although the impact on confidentiality is none and the impact on integrity is low.

Exploitation requires local access and is complex, so remote or easy exploitation is unlikely.

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects ImageMagick versions prior to 7.1.2-16 and 6.9.13-41. Detection primarily involves identifying the installed version of ImageMagick on your system.

You can check the installed ImageMagick version by running the following command in your terminal:

  • magick --version

If the version is older than 7.1.2-16 or 6.9.13-41, your system is vulnerable to this heap overflow issue when encoding PNG images with extremely large image profiles.

Mitigation Strategies

The immediate mitigation step is to upgrade ImageMagick to a patched version that addresses this vulnerability.

  • Update ImageMagick to version 7.1.2-16 or later, or 6.9.13-41 or later.

Since the vulnerability requires local access and has a high attack complexity, limiting local access to trusted users and monitoring for unusual PNG encoding activity can also help reduce risk until the update is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30883. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart