Listen to this Post
The vulnerability resides in the MIFF (Magick Image File Format) encoder when LZMA compression is selected. During the compression process, the encoder writes compressed image data into a fixed-size heap buffer. A missing bounds check allows the encoder to write beyond the buffer’s allocated capacity. Specifically, when processing a specially crafted MIFF image that includes LZMA-compressed data, the encoder does not verify that the amount of data to be written fits within the heap buffer. This oversight leads to a heap buffer over-write, corrupting adjacent memory structures. The out-of-bounds write occurs because the encoder trusts the compressed data size reported in the MIFF header without validating it against the buffer’s size. An attacker can exploit this by providing a malicious MIFF file with a manipulated LZMA stream that, when decompressed, exceeds the expected buffer size. The encoder writes the excess data past the buffer boundary, potentially overwriting critical control data. This can cause program instability, crash the application (denial of service), or under certain conditions allow arbitrary code execution. The issue is triggered when ImageMagick processes the image using the `-compress lzma` flag or when reading a MIFF file that internally specifies LZMA compression. The function `WriteMIFFImage` (coders/miff.c) calls LZMA compression routines without performing adequate length checks.
Platform: Cross-platform (Linux,Windows,macOS)
Version: Before 7.1.2-15
Vulnerability: Heap buffer overflow
Severity: Medium (CVSS:6.3)
date: May 18, 2026
Prediction: Patch May 17,2026
Analytics under heading What Undercode Say:
Check installed ImageMagick version magick --version | grep -Eo 'Version: ImageMagick [0-9]+.[0-9]+.[0-9]+' Craft a malicious MIFF file with LZMA compression echo -ne 'id=ImageMagick\ncompression=lzma\n' > mal.miff dd if=/dev/zero bs=1024 count=1 | lzma -z >> mal.miff Trigger the heap buffer overflow (DoS) magick identify mal.miff Monitor for memory corruption (using valgrind) valgrind --tool=memcheck magick convert mal.miff out.png Sanity check: disable LZMA temporarily to avoid the vulnerability export MAGICK_CONFIGURE_PATH=/etc/ImageMagick-7/policy.xml Policy to block LZMA compression echo '<policymap><policy domain="coder" rights="read" pattern="MIFF" /></policymap>' > /tmp/policy.xml
Exploit:
A remote attacker can craft a malicious MIFF file with a manipulated LZMA stream that, when decoded, attempts to write past the heap buffer boundary. No public exploit code is currently available, but the primitive (heap overflow) is sufficient to cause denial of service or potentially achieve code execution under specific memory layouts.
Protection from this CVE
- Upgrade to ImageMagick versions 7.1.2-15 or later.
- Disable the MIFF coder via policy.xml (
<policy domain="coder" rights="none" pattern="MIFF" />). - Avoid processing untrusted MIFF files.
- Use a security-hardened build with ASLR and stack canaries.
Impact
Successful exploitation can lead to application crash (denial of service). In a worst-case scenario, an attacker may achieve arbitrary code execution, compromising the confidentiality, integrity, and availability of the affected system.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

