CVE-2026-56362
Undergoing Analysis Undergoing Analysis - In Progress

Heap-Buffer-Overflow in ImageMagick via GetPixelIndex

Vulnerability report for CVE-2026-56362, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

ImageMagick before 7.1.2-15 contains a heap-buffer-overflow read vulnerability in GetPixelIndex caused by OpenPixelCache updating image channel metadata before pixel cache memory allocation. Attackers can trigger memory and disk allocation failures to cause a heap-buffer-overflow read affecting any writer calling GetPixelIndex.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick to 7.1.2-15 (exc)
imagemagick imagemagick to 6.9.13-40 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56362 is a heap-buffer-overflow read vulnerability in the GetPixelIndex function of ImageMagick. It occurs because the OpenPixelCache component updates image channel metadata before allocating memory for the pixel cache. If memory or disk allocation fails during this process, it causes a heap-buffer-overflow read when any writer calls GetPixelIndex.

This vulnerability affects ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 and is classified as an Out-of-bounds Read (CWE-125).

Impact Analysis

The vulnerability can lead to low confidentiality loss and low availability loss. An attacker with high privileges and network access can exploit this issue by triggering memory or disk allocation failures, causing the program to read outside the intended buffer. This may result in application instability or crashes.

Mitigation Strategies

To mitigate the CVE-2026-56362 vulnerability, you should update ImageMagick to a patched version, specifically version 7.1.2-15 or later, or 6.9.13-40 or later.

This vulnerability is caused by a heap-buffer-overflow read in the GetPixelIndex function due to metadata-cache desynchronization in OpenPixelCache. Updating to the fixed versions will resolve this issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56362. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart