CVE-2026-30883: CVE-2026-30883: Heap-based Buffer Overflow in ImageMagick PNG Encoder

CVE-2026-30883: Heap-based Buffer Overflow in ImageMagick PNG Encoder

Vulnerability ID: CVE-2026-30883
CVSS Score: 5.7
Published: 2026-03-10

ImageMagick versions prior to 7.1.2-16 and 6.9.13-41 suffer from a heap-based buffer overflow in the PNG encoder (coders/png.c). This vulnerability is triggered when processing specially crafted PNG images containing extremely large metadata profiles, leading to memory corruption, denial of service, and potential limited integrity impact.

TL;DR

A heap buffer overflow in ImageMagick's PNG encoder (CVE-2026-30883) allows attackers to trigger a denial of service via malformed images with oversized profiles. Update to versions 7.1.2-16 or 6.9.13-41.

---

Technical Details

• CWE ID: CWE-119
• Attack Vector: Local
• CVSS Score: 5.7
• EPSS Score: 0.00013
• Impact: Denial of Service (DoS)
• Exploit Status: None

Affected Systems

• ImageMagick 7.x
• ImageMagick 6.x
• Magick.NET
• ImageMagick: >= 7.0.0, < 7.1.2-16 (Fixed in: 7.1.2-16)
• ImageMagick: < 6.9.13-41 (Fixed in: 6.9.13-41)
• Magick.NET: < 14.10.4 (Fixed in: 14.10.4)

Mitigation Strategies

• Upgrade ImageMagick to patched versions
• Update Magick.NET dependencies
• Implement resource limits via policy.xml if unable to patch

Remediation Steps:

1. Identify all systems and containers running ImageMagick.
2. Verify current versions using 'magick -version' or 'identify -version'.
3. Update ImageMagick 7.x to 7.1.2-16 or 6.x to 6.9.13-41.
4. Update Magick.NET to 14.10.4.
5. Restart services dependent on ImageMagick libraries.

References

• Official GitHub Advisory
• CVE Record
• NVD Entry
• Red Hat Advisory
• Magick.NET Release

---

Read the full report for CVE-2026-30883 on our website for more details including interactive diagrams and full exploit analysis.