GHSA-JQQ5-8PX3-9M6M: Single-Byte Heap Overflow Bypass in ImageMagick JSON and YAML Encoders
Vulnerability ID: GHSA-JQQ5-8PX3-9M6M
CVSS Score: 6.2
Published: 2026-05-21
A heap-based buffer overflow vulnerability exists in the JSON and YAML encoders of ImageMagick and Magick.NET. This issue constitutes an incomplete fix for CVE-2026-40169, resulting in a single-byte out-of-bounds write (off-by-one error) during image metadata serialization.
TL;DR
ImageMagick < 7.1.2-19 and Magick.NET < 14.12.0 suffer from a single-byte heap overflow in their JSON/YAML encoders. An incomplete patch for a prior vulnerability allows an attacker to cause a denial of service via a crafted file.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-122, CWE-193
- Attack Vector: Local / Remote via File Upload
- CVSS Score: 6.2
- Impact: Denial of Service (DoS)
- Exploit Status: Proof of Concept (PoC) Exists
- KEV Status: Not Listed
Affected Systems
- ImageMagick Core
- Magick.NET NuGet Packages
-
ImageMagick: < 7.1.2-19 (Fixed in:
7.1.2-19) -
Magick.NET: < 14.12.0 (Fixed in:
14.12.0)
Exploit Details
- Private Researcher (007bsd): A Proof-of-Concept demonstrating the crash exists in the private researcher community.
Mitigation Strategies
- Update ImageMagick to version 7.1.2-19 or later
- Update Magick.NET packages to version 14.12.0 or later
- Disable the JSON and YAML coders via ImageMagick's policy.xml if updates are not possible
Remediation Steps:
- Identify all systems and applications using ImageMagick or Magick.NET.
- Check the installed version of the libraries.
- If utilizing Magick.NET, update the project's NuGet package references to version 14.12.0.
- If utilizing ImageMagick locally or in a container, update the system package or base image to incorporate version 7.1.2-19.
- Test image processing pipelines to ensure updates do not cause regressions.
- Deploy the updated components to production environments.
References
- GitHub Advisory Database
- ImageMagick Security Advisory
- Original Vulnerability (CVE-2026-40169)
- Magick.NET Release Notes
Read the full report for GHSA-JQQ5-8PX3-9M6M on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)