CVE-2026-30937
Heap Buffer Overflow in ImageMagick XWD Encoder Causes Memory Corruption
Publication date: 2026-03-10
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | to 6.9.13-41 (exc) |
| imagemagick | imagemagick | From 7.0.0-0 (inc) to 7.1.2-16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30937 is a moderate severity vulnerability in the ImageMagick software, specifically in the XWD (X Windows) encoder component.
The issue arises from a 32-bit unsigned integer overflow during the encoding process, which causes an undersized heap buffer allocation.
When processing extremely large images, this integer overflow causes the allocated heap buffer to be smaller than required, resulting in an out-of-bounds heap buffer write (heap buffer overflow).
Technically, the overflow happens due to improper handling of CARD32 arithmetic, causing the size calculation for heap allocation to wrap around.
This flaw is identified as CWE-122 (Heap-based Buffer Overflow) and CWE-190 (Integer Overflow or Wraparound).
Exploitation requires local access but no privileges or user interaction are needed.
How can this vulnerability impact me? :
The vulnerability can lead to an out-of-bounds heap write when processing extremely large images, which can cause instability or crashes in the ImageMagick software.
The impact includes no loss of confidentiality, low loss of integrity, but a high impact on availability.
This means that while sensitive data is unlikely to be exposed, the software or system using ImageMagick could become unavailable or unreliable due to crashes or memory corruption.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability in ImageMagick's XWD encoder can be detected by monitoring for heap-buffer-overflow errors during image processing, especially when handling extremely large images."}, {'type': 'paragraph', 'content': 'The issue was originally detected using AddressSanitizer, a tool that can identify heap buffer overflows during runtime.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can run ImageMagick commands that process large XWD images under AddressSanitizer or similar memory error detection tools.'}, {'type': 'list_item', 'content': 'Use AddressSanitizer with ImageMagick binaries to catch heap buffer overflows.'}, {'type': 'list_item', 'content': 'Run commands like `convert large_image.xwd output.png` or `magick large_image.xwd output.png` while monitoring for memory errors.'}, {'type': 'list_item', 'content': 'Check logs or error outputs for heap-buffer-overflow or integer overflow warnings during image encoding.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade ImageMagick to a fixed version.
- Update ImageMagick to version 7.1.2-16 or later, or 6.9.13-41 or later, where this vulnerability has been patched.
- Avoid processing extremely large XWD images with vulnerable versions of ImageMagick.
- Restrict local access to systems running vulnerable ImageMagick versions to reduce exploitation risk.