Listen to this Post
The vulnerability exists in the `WaveletDenoiseImage` method, which is called when ImageMagick processes an image with the `-wavelet-denoise` command-line option. A heap buffer overflow occurs due to an out-of-bounds write operation. Specifically, when a specially crafted image is provided, the algorithm miscalculates buffer boundaries during the wavelet denoising process. This happens because the code fails to properly validate image dimensions and pixel data before performing memory write operations. The wavelet denoising algorithm, which applies a mathematical transform to remove noise from images, iterates through pixel data using pre-calculated offsets. In vulnerable versions, these offset calculations can be corrupted by a malicious image, causing the write pointer to exceed the allocated heap buffer. This results in memory corruption adjacent to the intended buffer, potentially leading to application crashes or, in more severe scenarios, arbitrary code execution. The issue resides in how the function handles edge cases for images with specific dimensions, where the loop conditions for processing wavelet coefficients do not correctly bound-check against the allocated memory region. An attacker can trigger this by supplying a malicious image file that, when processed with the wavelet denoise filter, causes the heap buffer overflow.
Platform: ImageMagick
Version: <6.9.13-40 / <7.1.2-15
Vulnerability : Heap Buffer Overflow
Severity: Moderate
Date: March 12, 2026
Prediction: Patched versions already released
What Undercode Say:
Analytics:
This vulnerability affects all ImageMagick installations prior to the patched versions. Given ImageMagick’s widespread use in web applications for image processing, the attack surface is significant. The EPSS score indicates a moderate probability of exploitation in the wild. Analysis of the patch shows the fix involves adding proper bounds checking in the wavelet denoising loop to prevent out-of-bounds writes .
How Exploit:
A proof-of-concept can be crafted using a malformed image The following command on a vulnerable system would trigger the overflow convert -wavelet-denoise exploit.jpg output.png Developers can test their systems using a hex-edited image that contains specific dimension values to trigger the flawed calculation Example of analyzing the crash with gdb gdb --args convert -wavelet-denoise crafted.png out.png (gdb) run Program will segfault in WaveletDenoiseImage due to heap corruption
Protection from this CVE:
Check current version convert --version For ImageMagick 6, update to 6.9.13-40 or later For ImageMagick 7, update to 7.1.2-15 or later On Debian/Ubuntu: sudo apt update sudo apt install imagemagick=8:6.9.13.40+dfsg-1 On RHEL/CentOS: sudo yum update ImageMagick If immediate patching isn't possible, disable wavelet-denoise in policy.xml Edit /etc/ImageMagick-7/policy.xml and add: <policy domain="coder" rights="none" pattern="WAVELET" /> Or filter input images to prevent exploitation Only process images from trusted sources
Impact:
Successful exploitation could lead to application instability (denial of service) or potential arbitrary code execution with the privileges of the user running ImageMagick. In web environments where ImageMagick processes user-uploaded images, this could lead to remote code execution on the server . The vulnerability allows corruption of adjacent heap memory, which may be leveraged for more sophisticated attacks beyond simple crashes.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

