ImageMagick, Heap Buffer Over-Write, CVE-2026-46521 (Moderate)

Listen to this Post

The vulnerability resides in the MIFF (Magick Image File Format) encoder when LZMA compression is selected. During the compression process, the encoder writes compressed image data into a fixed-size heap buffer. A missing bounds check allows the encoder to write beyond the buffer’s allocated capacity. Specifically, when processing a specially crafted MIFF image that includes LZMA-compressed data, the encoder does not verify that the amount of data to be written fits within the heap buffer. This oversight leads to a heap buffer over-write, corrupting adjacent memory structures. The out-of-bounds write occurs because the encoder trusts the compressed data size reported in the MIFF header without validating it against the buffer’s size. An attacker can exploit this by providing a malicious MIFF file with a manipulated LZMA stream that, when decompressed, exceeds the expected buffer size. The encoder writes the excess data past the buffer boundary, potentially overwriting critical control data. This can cause program instability, crash the application (denial of service), or under certain conditions allow arbitrary code execution. The issue is triggered when ImageMagick processes the image using the `-compress lzma` flag or when reading a MIFF file that internally specifies LZMA compression. The function `WriteMIFFImage` (coders/miff.c) calls LZMA compression routines without performing adequate length checks.
Platform: Cross-platform (Linux,Windows,macOS)
Version: Before 7.1.2-15
Vulnerability: Heap buffer overflow
Severity: Medium (CVSS:6.3)
date: May 18, 2026

Prediction: Patch May 17,2026

Analytics under heading What Undercode Say:

Check installed ImageMagick version
magick --version | grep -Eo 'Version: ImageMagick [0-9]+.[0-9]+.[0-9]+'
Craft a malicious MIFF file with LZMA compression
echo -ne 'id=ImageMagick\ncompression=lzma\n' > mal.miff
dd if=/dev/zero bs=1024 count=1 | lzma -z >> mal.miff
Trigger the heap buffer overflow (DoS)
magick identify mal.miff
Monitor for memory corruption (using valgrind)
valgrind --tool=memcheck magick convert mal.miff out.png
Sanity check: disable LZMA temporarily to avoid the vulnerability
export MAGICK_CONFIGURE_PATH=/etc/ImageMagick-7/policy.xml
Policy to block LZMA compression
echo '<policymap><policy domain="coder" rights="read" pattern="MIFF" /></policymap>' > /tmp/policy.xml

Exploit:

A remote attacker can craft a malicious MIFF file with a manipulated LZMA stream that, when decoded, attempts to write past the heap buffer boundary. No public exploit code is currently available, but the primitive (heap overflow) is sufficient to cause denial of service or potentially achieve code execution under specific memory layouts.

Protection from this CVE

  • Upgrade to ImageMagick versions 7.1.2-15 or later.
  • Disable the MIFF coder via policy.xml (<policy domain="coder" rights="none" pattern="MIFF" />).
  • Avoid processing untrusted MIFF files.
  • Use a security-hardened build with ASLR and stack canaries.

Impact

Successful exploitation can lead to application crash (denial of service). In a worst-case scenario, an attacker may achieve arbitrary code execution, compromising the confidentiality, integrity, and availability of the affected system.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top