CVE-2026-53466
Undergoing Analysis Undergoing Analysis - In Progress

Integer Overflow in ImageMagick XCF Decoder

Vulnerability report for CVE-2026-53466, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, an integer overflow in the XCF decoder can result in an out of bounds read when a crafted image is read, potentially resulting in a crash. This issue has been fixed in versions 6.9.13-51 and 7.1.2-26.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
image_magick image_magick to 7.1.2-26 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-681 When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a heap buffer over-read in the XCF decoder of ImageMagick caused by an integer conversion overflow. When a specially crafted image is processed, the integer overflow leads to an out-of-bounds read, which can cause the application to crash.

The root causes are integer overflow (CWE-190) and incorrect numeric type conversion (CWE-681), which result in unexpected or negative values during calculations.

This issue affects ImageMagick versions prior to 6.9.13-51 and 7.1.2-26 and has been fixed in those versions.

Impact Analysis

The vulnerability can be exploited remotely without requiring any privileges or user interaction.

Exploitation may cause the ImageMagick application to crash due to an out-of-bounds read, potentially leading to denial of service.

Detection Guidance

Detection of this vulnerability involves identifying the use of vulnerable ImageMagick versions prior to 6.9.13-51 and 7.1.2-26.

You can check the installed ImageMagick version on your system using the following command:

  • magick --version

If the version is older than 6.9.13-51 or 7.1.2-26, your system is potentially vulnerable.

Additionally, monitoring application logs for crashes or abnormal behavior when processing XCF images may help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade ImageMagick to a fixed version.

  • Update ImageMagick to version 6.9.13-51 or later, or 7.1.2-26 or later.

Avoid processing untrusted or crafted XCF images until the update is applied.

Implement network-level protections to restrict access to services that use ImageMagick for image processing if possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53466. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart