{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30883", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-06T00:04:56.699Z", "datePublished": "2026-03-09T21:45:55.110Z", "dateUpdated": "2026-03-10T14:54:05.736Z"}, "containers": {"cna": {"title": "ImageMagick has a Heap Overflow when writing extremely large image profile in the PNG encoder", "problemTypes": [{"descriptions": [{"cweId": "CWE-119", "lang": "en", "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qmw5-2p58-xvrc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qmw5-2p58-xvrc"}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"version": ">= 7.0.0, < 7.1.2-16", "status": "affected"}, {"version": "< 6.9.13-41", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T21:45:55.110Z"}, "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an extremely large image profile could result in a heap overflow when encoding a PNG image. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41."}], "source": {"advisory": "GHSA-qmw5-2p58-xvrc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T14:53:57.529281Z", "id": "CVE-2026-30883", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:54:05.736Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30883", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T14:53:57.529281Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:54:01.439Z"}}], "cna": {"title": "ImageMagick has a Heap Overflow when writing extremely large image profile in the PNG encoder", "source": {"advisory": "GHSA-qmw5-2p58-xvrc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"status": "affected", "version": ">= 7.0.0, < 7.1.2-16"}, {"status": "affected", "version": "< 6.9.13-41"}]}], "references": [{"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qmw5-2p58-xvrc", "name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qmw5-2p58-xvrc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an extremely large image profile could result in a heap overflow when encoding a PNG image. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T21:45:55.110Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30883", "state": "PUBLISHED", "dateUpdated": "2026-03-10T14:54:05.736Z", "dateReserved": "2026-03-06T00:04:56.699Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-09T21:45:55.110Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFFB7C48-4211-4215-9C0B-D285B8E09CF1", "versionEndExcluding": "6.9.13-41", "vulnerable": true}, {"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "matchCriteriaId": "865783BD-5A33-4D05-AF99-E6EFE76414D1", "versionEndExcluding": "7.1.2-16", "versionStartIncluding": "7.0.0-0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an extremely large image profile could result in a heap overflow when encoding a PNG image. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41."}, {"lang": "es", "value": "ImageMagick es un software libre y de c\u00f3digo abierto utilizado para editar y manipular im\u00e1genes digitales. Antes de las versiones 7.1.2-16 y 6.9.13-41, un perfil de imagen extremadamente grande podr\u00eda resultar en un desbordamiento de mont\u00edculo al codificar una imagen PNG. Esta vulnerabilidad est\u00e1 corregida en 7.1.2-16 y 6.9.13-41."}], "id": "CVE-2026-30883", "lastModified": "2026-03-13T17:10:28.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-10T07:44:56.543", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qmw5-2p58-xvrc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "ImageMagick: ImageMagick: Denial of Service due to heap overflow when processing large image profiles", "id": "2445878", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445878"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "status": "draft"}, "cwe": "CWE-120", "details": ["A flaw was found in ImageMagick, a free and open-source software used for editing and manipulating digital images. A local attacker could exploit this vulnerability by providing an extremely large image profile when encoding a PNG image. This could result in a heap overflow, leading to a Denial of Service (DoS), which makes the affected system or application unavailable to legitimate users."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid processing untrusted or maliciously crafted image files with ImageMagick. Users should exercise caution when handling image files from unknown or suspicious sources."}, "name": "CVE-2026-30883", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2026-03-09T21:45:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-30883\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-30883\nhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qmw5-2p58-xvrc"], "statement": "This MODERATE impact vulnerability in ImageMagick affects Red Hat Enterprise Linux 6 ELS and 7 ELS. A heap overflow can occur when processing an extremely large image profile during PNG encoding. Exploitation requires an attacker to provide a specially crafted image file for processing.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.1.2-16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.9.13-41)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ImageMagick", "source": "cna", "vendor": "ImageMagick"}, "product": "imagemagick", "vendor": "imagemagick"}], "analysis": {"en": {"generated_at": "2026-04-18T09:39:46.382116+00:00", "value": {"mitigation_remediation": ["Upgrade ImageMagick to at least 7.1.2-16 or 6.9.13-41, or a later release that contains the fix.", "On systems that cannot be updated immediately, configure the image processing pipeline to reject PNG files with profiles exceeding a reasonable size threshold, or use the --limit option to bound allocation sizes.", "If possible, isolate image decoding and encoding tasks in a sandboxed or restricted environment to contain any memory corruption."], "summary": {"action": "Apply Patch", "impact": "Memory Corruption due to Heap Overflow"}, "threat_synthesis": {"affected_systems": "Vulnerable builds of ImageMagick are any versions earlier than 7.1.2-16 for the 7.x series and earlier than 6.9.13-41 for the 6.x series. Any deployment that decodes or encodes PNG files with these versions is at risk.", "description_and_impact": "ImageMagick suffers a buffer overflow in the PNG encoder when an image contains an extremely large profile. The overflow corrupts heap memory, creating an opportunity for memory corruption if an attacker can supply the crafted image. The weakness is classified as a buffer overflow (CWE\u2011120) and buffer over-read (CWE\u2011119). Based on the description, it is inferred that the attack vector would rely on an attacker supplying a crafted image to the vulnerable PNG encoder.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.7, indicating moderate severity, and an EPSS of less than 1%, showing a very low probability of exploitation at this time. It is not currently listed in CISA\u2019s KEV catalog. Based on the description, it is inferred that an attacker must deliver a PNG image containing an oversized profile to the vulnerable software. Successful exploitation could lead to memory corruption that may affect the stability or confidentiality of the host where the image is processed."}}}}, "created": "2026-03-10T14:06:46.255233+00:00", "updated": "2026-04-18T09:45:25.837624+00:00", "vendors": ["imagemagick", "imagemagick$PRODUCT$imagemagick"]}