MEDIUM 5.1

CVE-2026-42326: ImageMagick IPTC Out-of-Bounds Read (Medium, 5.1 CVSS)

ImageMagick, a widely-used open-source tool for image processing, contains a flaw that allows a specially crafted image file to trigger an out-of-bounds memory read when the application writes IPTC metadata. An attacker who provides a malicious image could cause the software to read one byte of memory it shouldn't access, potentially leaking sensitive information or causing the application to crash. This is a local issue—the attacker must be able to supply the image file to a system running vulnerable ImageMagick.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.1 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Weaknesses (CWE)
CWE-125, CWE-191
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, when writing an IPTC output file a malicious input file could cause an out of bounds read of a single byte. This issue has been patched in versions 6.9.13-47 and 7.1.2-22.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42326 is an out-of-bounds read vulnerability in ImageMagick's IPTC output handler. When processing a malicious input file during IPTC metadata writing, the code fails to properly validate buffer boundaries, allowing a single-byte read past the intended memory region. The vulnerability is rooted in improper bounds checking (CWE-125: Out-of-bounds Read) combined with potential integer underflow or signedness confusion (CWE-191). The flaw affects ImageMagick versions prior to 6.9.13-47 (legacy branch) and 7.1.2-22 (current branch). Exploitation requires local access and the ability to provide input to ImageMagick's IPTC writing functionality, typically through image processing workflows.

Business impact

Organizations relying on ImageMagick for automated image processing—such as content management systems, photo galleries, document conversion pipelines, or media asset management platforms—face potential information disclosure and service disruption. A malicious image uploaded or processed through these systems could leak snippets of memory containing cached credentials, configuration secrets, or other sensitive data. Availability is also at risk if the out-of-bounds access triggers a crash. For systems processing untrusted user-supplied images, this represents a meaningful risk to confidentiality and operational continuity.

Affected systems

ImageMagick versions 6.9.13-46 and earlier (6.x branch) and 7.1.2-21 and earlier (7.x branch) are vulnerable. Any deployment using these versions to process IPTC metadata—including web servers running image manipulation libraries, containerized microservices, and batch image processing jobs—requires immediate attention. Check your ImageMagick version with `convert -version` or equivalent. Note that many Linux distributions and container images bundle ImageMagick, so patching may require updating your base system or rebuilding images.

Exploitability

This vulnerability requires local access and the ability to provide a malicious image file as input to ImageMagick's IPTC writing function. The attack is not remotely exploitable in the default configuration, but network-accessible image processing services (APIs, web uploads) that feed images to vulnerable ImageMagick instances become indirect attack vectors. No user interaction is required once the malicious file is processed. The CVSS score of 5.1 (Medium) reflects the local requirement, limited impact scope (single-byte read), and mixed consequences (some information leak coupled with potential availability impact).

Remediation

Upgrade ImageMagick to version 6.9.13-47 or later (6.x series) or 7.1.2-22 or later (7.x series). For distributions, check your package manager for patched versions. Verify the patch by running `convert -version` and confirming the version number. In the interim, restrict the ability to upload or process untrusted images through ImageMagick-dependent services, and run ImageMagick with minimal privileges and memory constraints where possible.

Patch guidance

Apply the official ImageMagick updates from your vendor or distribution repository. Verify that you are upgrading to ImageMagick 6.9.13-47 (or later in the 6.9.x series) or 7.1.2-22 (or later in the 7.1.x series). For Docker and containerized deployments, rebuild images with the patched ImageMagick version. Test the update in a staging environment with your image processing workflows to confirm compatibility before deploying to production. Some distributions may have backported the fix to earlier version numbers—consult your vendor advisory for the exact version to target.

Detection guidance

Monitor for unexpected crashes or errors in ImageMagick-dependent services when processing images, particularly those containing IPTC metadata. Enable verbose logging in your image processing pipelines to capture image filenames and processing outcomes. Use file integrity monitoring on systems running vulnerable ImageMagick versions to detect unauthorized changes. Network-based detection is limited due to the local nature of the flaw, but you can audit image uploads and file-processing logs for suspicious or malformed image submissions. Vulnerability scanners can identify ImageMagick versions via binary inspection or package queries.

Why prioritize this

Assign medium-to-high priority based on your exposure: (1) If you process untrusted user-supplied images (web uploads, APIs), prioritize patching immediately. (2) If ImageMagick is internal-only and air-gapped, the risk is lower but still warrants prompt attention. (3) The vulnerability is not yet in active exploitation (not on the KEV catalog), offering a window for orderly patching before widespread campaigns emerge. The CVSS score of 5.1 reflects medium severity, but real-world impact depends on what sensitive data resides in the process memory of your image-handling services.

Risk score, explained

CVSS 3.1 score of 5.1 (Medium) is computed as: Attack Vector Local (requires filesystem or local service access), Attack Complexity Low (no special conditions), Privileges None (no elevated rights needed), User Interaction None (automatic upon file processing), Scope Unchanged (no lateral impact), Confidentiality Low (single-byte leak), Integrity None, Availability Low (potential crash). The score appropriately reflects the local-only attack surface and modest scope of the information leak, while acknowledging the practical risk to confidentiality and availability in image-processing workflows.

Frequently asked questions

Can this vulnerability be exploited remotely?

Not directly. The vulnerability requires local access or the ability to supply a malicious image file to ImageMagick's IPTC writing function. However, if your service accepts image uploads from the internet and processes them with vulnerable ImageMagick, the remote attacker is indirectly exploiting the flaw by uploading a malicious image.

What exactly leaks if this vulnerability is exploited?

A single byte of uninitialized or adjacent memory is read from the heap or stack. The leaked byte could contain fragments of previously-used data, credentials, or other secrets in the process memory. However, predicting or reliably harvesting useful information from a one-byte leak is difficult, making this a low-confidence information disclosure vector unless combined with other vulnerabilities.

Do I need to update both ImageMagick 6.x and 7.x?

Only if you use both versions. Most modern deployments use 7.x. However, legacy systems and some distributions still ship 6.x. Verify your installed version with `convert -version` and patch accordingly. Do not assume your distribution has automatically upgraded to 7.x.

Are there any workarounds if I cannot patch immediately?

Restrict image uploads and IPTC processing to trusted sources only. Run ImageMagick in a sandbox or container with reduced memory and filesystem access. Disable IPTC output where possible in your configuration. These are temporary measures; upgrading to a patched version is the definitive fix.

This analysis is provided for informational purposes and is based on CVE-2026-42326 as published. Readers are responsible for verifying patch version numbers and compatibility with their systems against the official ImageMagick release notes and their distribution vendor advisories. No exploit code or proof-of-concept is provided. The risk and exploitability assessment assumes standard configurations; custom builds or integrations may alter the threat profile. SEC.co does not warrant the completeness or real-time accuracy of this information and recommends consulting ImageMagick's official security advisories for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).