CVE-2026-30931
Received Received - Intake
Heap-Based Buffer Overflow in ImageMagick UHDR Encoder

Publication date: 2026-03-10

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16, a heap-based buffer overflow in the UHDR encoder can happen due to truncation of a value and it would allow an out of bounds write. This vulnerability is fixed in 7.1.2-16.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30931
EUVD
EUVD-2026-10397
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
imagemagick imagemagick to 7.1.2-16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30931 is a heap-based buffer overflow vulnerability found in the UHDR encoder component of ImageMagick, an open-source image processing software.

This vulnerability occurs because a value is truncated, which causes an out-of-bounds write on the heap memory. Essentially, the program writes data outside the allocated memory buffer, which can corrupt memory.

It affects versions of ImageMagick prior to 7.1.2-16 and was fixed in version 7.1.2-16.

Impact Analysis

The vulnerability has a moderate severity with a CVSS v3.1 base score of 6.8.

Its impact includes a high availability impact, meaning exploitation could cause denial of service or crash conditions in the affected software.

The integrity impact is low, so it could potentially allow some unauthorized modification of data, but confidentiality is not affected.

The attack requires local access, has low complexity, requires no privileges, and no user interaction.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is a heap-based buffer overflow in the UHDR encoder component of ImageMagick versions prior to 7.1.2-16. Detection involves verifying the installed ImageMagick version to see if it is vulnerable.

You can detect the vulnerability by checking the version of ImageMagick installed on your system with the following command:

  • magick -version

If the version is earlier than 7.1.2-16, the system is vulnerable. Additionally, running AddressSanitizer or similar memory error detection tools during image processing tasks involving the UHDR encoder may reveal heap-buffer-overflow errors.

Mitigation Strategies

The primary mitigation step is to upgrade ImageMagick to version 7.1.2-16 or later, where this heap-based buffer overflow vulnerability in the UHDR encoder has been fixed.

Since the attack vector is local and requires no privileges or user interaction, limiting access to systems running vulnerable versions and avoiding processing untrusted images with the UHDR encoder can reduce risk until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30931. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart