Other information and services of the government: www.belgium.be Centre for Cybersecurity Belgium
search

Warning: Heap Buffer Overflow in ImageMagick can be exploited to corrupt memory and potentially compromise affected systems. PoC Available, Patch Immediately!

Image
Decorative image
Published : 23/02/2026
  • Last update: 23/02/2026
  • Affected software:
    → ImageMagick, versions > 7.1.2-13 and 6.9.13-38
  • Type:
    → CWE-122: Heap-based Buffer Overflow
    → CWE-190: Integer Overflow or Wraparound
  • CVE/CVSS
    → CVE-2026-23876: CVSS 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r49w-jqq3-3gx8

Risks

ImageMagick is a widely deployed open-source image manipulation library. It is commonly integrated into web applications, content management systems, and automated image processing pipelines. CVE-2026-23876 is a high-severity vulnerability that allows an attacker to send a specially crafted image and cause a heap overflow that overwrites memory, potentially leading to arbitrary code execution with the permissions of the ImageMagick process. This could compromise confidentiality (access to sensitive data), integrity (modifying data or behavior), and availability (system crash or denial of service) of affected systems.

A publicly available Proof of Concept increases the likelihood of exploitation by lowering the technical barrier for attackers to weaponize the vulnerability.

Description

CVE-2026-23876 is caused by a heap buffer overflow in the XBM image decoder (the function ReadXBMImage) within ImageMagick. The flaw arises from improper bounds checking when parsing image data in XBM files. An attacker can craft an image file with manipulated headers or dimensions that cause the decoder to write past the allocated buffer. Because ImageMagick processes image files on network-facing systems or in automated workflows, this vulnerability can be triggered via typical image upload interfaces or batch processing routines.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-23876