CVE-2026-23876

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ImageMagick versions prior to 7.1.2-13 and 6.9.13-38

Description ImageMagick is a free and open-source software used for editing and manipulating digital images. A heap buffer overflow vulnerability exists in the XBM image decoder (ReadXBMImage) when processing maliciously crafted image files. This allows an attacker to write data beyond the allocated memory buffer, potentially leading to remote code execution. The issue is triggered when reading or identifying an image, making it exploitable through common image upload and processing pipelines.

Recommendations Update ImageMagick to version 7.1.2-13 or 6.9.13-38 or later to address this vulnerability.

Exploit

Fix

RCE

Heap Based Buffer Overflow

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-122CWE-190

Related Identifiers

BDU:2026-00645

CVE-2026-23876

ECHO-55F4-7AFA-D9C9

GHSA-R49W-JQQ3-3GX8

OESA-2026-1241

OESA-2026-1242

OESA-2026-1243

OESA-2026-1244

OESA-2026-1245

OESA-2026-1246

OPENSUSE-SU-2026:10119-1

OPENSUSE-SU-2026:20337-1

RHSA-2026:3058

SUSE-SU-2026:0384-1

SUSE-SU-2026:0437-1

SUSE-SU-2026:0438-1

SUSE-SU-2026:0503-1

USN-8021-1

Affected Products

Imagemagick

Linuxmint

Ubuntu

CVE-2026-23876

Weakness Enumeration

Related Identifiers

Affected Products

References · 130