Listen to this Post
How CVE-2026-48724 Works
ImageMagick is a widely-used open-source software suite for displaying, converting, and editing raster image files. Its `FloydSteinbergImageDepth` function implements the Floyd‑Steinberg error‑diffusion dithering algorithm, a common technique for reducing the colour depth of images while minimising visual artefacts. The algorithm works by quantising each pixel and propagating the quantisation error to neighbouring pixels using a specific weighting pattern.
The vulnerability arises when ImageMagick processes an image that includes a mask (an alpha channel or a separate mask image). In the `FloydSteinbergImageDepth` function, the code iterates over pixel channels to apply the dithering. When it encounters a channel that lacks the `UpdatePixelTrait` flag, it executes a `continue` statement to skip that channel. However, the index variables `u` and v—which track the current pixel position within the distortion array—are not incremented in this skip path. As a result, subsequent accesses to the `distortion
` array use incorrect, outdated indices. This logic flaw causes the function to write dithering error values before the start of the allocated heap buffer for certain pixels, resulting in a negative heap buffer underwrite (also described as an out‑of‑bounds write below the allocated memory region). The underwrite corrupts adjacent heap metadata or other dynamically allocated objects, which can lead to application crashes, unpredictable behaviour, or—in cases where an attacker can control the corrupted data—arbitrary code execution. The vulnerability affects all ImageMagick versions prior to 7.1.2-24. It was assigned CVE-2026-48724 and published on 30 May 2026. The issue is rated as Medium severity with a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). It impacts all Magick.NET packages (the .NET wrapper for ImageMagick) below version 14.14.0, as well as the underlying ImageMagick library itself. The fix was released in ImageMagick 7.1.2-24 and Magick.NET 14.14.0. <h2 style="color: blue;">DailyCVE Form</h2> Platform: ....... ImageMagick / Magick.NET Version: ........ < 7.1.2-24 / < 14.14.0 Vulnerability :.. Heap Buffer Underwrite (CWE-787) Severity: ....... Medium (CVSS 5.5) date: ........... 30 May 2026 <h2 style="color: blue;">Prediction: ..... Already patched (7.1.2-24)</h2> <h2 style="color: blue;">What Undercode Say</h2> <blockquote> “The index desynchronisation in the Floyd‑Steinberg loop is a classic example of how a simple `continue` can break memory safety when state variables are not carefully managed. Attackers with local access and a maliciously crafted image can trigger this underwrite reliably.” </blockquote> <h2 style="color: blue;">Analytics & Detection Commands</h2> <h2 style="color: blue;">Check your ImageMagick version:</h2> [bash] convert -version | head -n1
Expected output for a vulnerable system:
Version: ImageMagick 7.1.2-23 ...
For Magick.NET, inspect the package version in your project file:
grep -i "Magick.NET" packages.config || grep -i "Magick.NET" .csproj
Nessus plugin ID 321444 detects this issue by version alone. To manually verify if your build contains the vulnerable code path, examine the source `FloydSteinbergImageDepth` function in `magick/quantize.c` for the presence of the `continue` statement without index updates. A simple grep:
grep -A 20 "FloydSteinbergImageDepth" magick/quantize.c | grep -i "continue"
Exploit
To trigger the underwrite, an attacker needs to supply an image with a mask (e.g., a PNG with alpha channel or a separate mask file) and invoke the Floyd‑Steinberg dithering with a depth reduction. A minimal proof‑of‑concept using ImageMagick’s command line:
convert input.png -mask mask.png -depth 4 -dither FloydSteinberg output.png
When run on a vulnerable version (< 7.1.2-24), this command can cause a heap corruption crash. For a more targeted trigger, one can use the Magick.NET API in C:
using (var image = new MagickImage("input.png"))
using (var mask = new MagickImage("mask.png"))
{
image.SetMask(mask);
image.Depth = 4; // Triggers dithering
image.Dither = DitherMethod.FloydSteinberg;
image.Write("output.png");
}
The underwrite occurs during the error‑diffusion pass. By carefully crafting the image dimensions and mask contents, an attacker may corrupt heap metadata to achieve denial of service or, under specific conditions, arbitrary code execution.
Protection
- Upgrade ImageMagick to 7.1.2-24 or later.
- Upgrade Magick.NET packages to 14.14.0 or later.
- For Debian‑based systems, the fixed version is `8:7.1.2.24+dfsg1-1` (available in
sid). - As a temporary workaround, avoid using the Floyd‑Steinberg dithering method on images with masks, or disable mask processing altogether if not required.
- Apply the official patch commit from the ImageMagick repository (GHSA-2hhq-c99x‑492r).
Impact
- Confidentiality: None (CVSS:C:N) — the underwrite does not directly leak memory contents.
- Integrity: None (CVSS:I:N) — no data modification outside the corrupted heap region.
- Availability: High (CVSS:A:H) — the underwrite can corrupt heap metadata, leading to application crashes (denial of service).
- Potential for Code Execution: Under favourable conditions (e.g., when the corrupted heap data includes function pointers or adjacent objects with vtable entries), an attacker may achieve arbitrary code execution.
- Affected Ecosystems: All applications and services that use ImageMagick or Magick.NET to process user‑supplied images with masks and Floyd‑Steinberg dithering are at risk. This includes web‑based image resizing/optimisation services, document conversion tools, and media management platforms.
- Exploit Prerequisites: Local attack vector, user interaction required (the victim must process a malicious image), and no special privileges needed.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
