CVE-2026-34238: CVE-2026-34238: Heap Buffer Overflow in ImageMagick Despeckle Operation

CVE-2026-34238: Heap Buffer Overflow in ImageMagick Despeckle Operation

Vulnerability ID: CVE-2026-34238
CVSS Score: 5.1
Published: 2026-04-13

ImageMagick versions prior to 7.1.2-19 and 6.9.13-44 contain an integer overflow vulnerability in the DespeckleImage function. When processing maliciously crafted images on 32-bit architectures, this flaw causes a heap-based buffer overflow, leading to process crashes and potentially arbitrary code execution.

TL;DR

A 32-bit integer overflow in ImageMagick's despeckle filter leads to an undersized heap allocation and subsequent out-of-bounds write.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-190
• CVSS Base Score: 5.1
• Attack Vector: Local (AV:L)
• Impact: High Availability (A:H)
• Attack Complexity: High (AC:H)
• Privileges Required: None (PR:N)

Affected Systems

• ImageMagick v7 (< 7.1.2-19)
• ImageMagick v6 (< 6.9.13-44)
• Magick.NET-Q16-AnyCPU (< 14.12.0)
• Magick.NET-Q16-HDRI-AnyCPU (< 14.12.0)
• Magick.NET-Q16-HDRI-x86 (< 14.12.0)
• Magick.NET-Q16-x86 (< 14.12.0)
• Magick.NET-Q8-AnyCPU (< 14.12.0)
• Magick.NET-Q8-x86 (< 14.12.0)
• ImageMagick (v7): < 7.1.2-19 (Fixed in: 7.1.2-19)
• ImageMagick (v6): < 6.9.13-44 (Fixed in: 6.9.13-44)
• Magick.NET: < 14.12.0 (Fixed in: 14.12.0)

Code Analysis

Commit: bcd8519

Fix integer overflow in DespeckleImage operation

--- a/MagickCore/effect.c
+++ b/MagickCore/effect.c
@@ -1369,7 +1369,13 @@ MagickExport Image *DespeckleImage(const Image *image,ExceptionInfo *exception)
   /*
     Allocate image buffer.
   */
-  length=(size_t) ((image->columns+2)*(image->rows+2));
+  if ((image->columns > (MAGICK_SIZE_MAX-2)) ||
+      (image->rows > (MAGICK_SIZE_MAX-2)))
+    {
+      despeckle_image=DestroyImage(despeckle_image);
+      ThrowImageException(ResourceLimitError,"MemoryAllocationFailed");
+    }
+  length=(image->columns+2)*(image->rows+2);
   pixel_info=AcquireVirtualMemory(length,sizeof(*pixels));

Mitigation Strategies

• Upgrade ImageMagick binaries to 7.1.2-19 or 6.9.13-44.
• Update Magick.NET NuGet dependencies to 14.12.0.
• Implement restrictive width and height limits in policy.xml.

Remediation Steps:

1. Identify all systems and containers running 32-bit versions of ImageMagick or Magick.NET.
2. Update the underlying ImageMagick libraries to the patched versions.
3. If patching is delayed, modify the /etc/ImageMagick-7/policy.xml to include <policy domain="resource" name="width" value="16KP"/> and <policy domain="resource" name="height" value="16KP"/>.
4. Restart any background workers or web services that consume the ImageMagick libraries to apply changes.

References

• GHSA-26qp-ffjh-2x4v
• ImageMagick Fix Commit

---

Read the full report for CVE-2026-34238 on our website for more details including interactive diagrams and full exploit analysis.