CVE-2026-47165
Received Received - Intake
Heap-based Buffer Overflow in ImageMagick

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, the distributed pixel cache was originally designed to operate without a challenge–response authentication model. This has been changed in versions 6.9.13-48 and 7.1.2-23.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-47165
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
imagemagick imagemagick to 6.9.13-48|end_excluding=7.1.2-23 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, update ImageMagick to version 6.9.13-48 or later, or version 7.1.2-23 or later, where the distributed pixel cache has been changed to include a challenge–response authentication model.

Executive Summary

This vulnerability relates to ImageMagick, a free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, the distributed pixel cache component of ImageMagick was designed to operate without a challenge–response authentication model. This means that the pixel cache did not verify the authenticity of requests, potentially allowing unauthorized access or manipulation.

Impact Analysis

Because the distributed pixel cache lacked a challenge–response authentication model before the specified versions, an attacker with local access and high privileges could potentially exploit this to access or manipulate cached pixel data. The CVSS score indicates a low to medium severity impact with high complexity and privileges required, and the impact is primarily on confidentiality (C:H), with no impact on integrity or availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47165. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart