CVE-2026-23876
Published: 20 January 2026
Summary
CVE-2026-23876 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification, reporting, and correction of the heap buffer overflow flaw in ImageMagick by patching to fixed versions 7.1.2-13 or 6.9.13-38.
Mandates validation of image inputs to reject maliciously crafted XBM files before processing by the vulnerable ReadXBMImage decoder.
Implements memory protections such as DEP or ASLR to mitigate unauthorized code execution from heap buffer overflows in ImageMagick.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in ImageMagick XBM decoder enables remote code execution via malicious image supplied to public-facing apps (e.g., web upload pipelines).
NVD Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated…
more
heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. Versions 7.1.2-13 and 6.9.13-38 fix the issue.
Deeper analysisAI
CVE-2026-23876, published on 2026-01-20, is a heap buffer overflow vulnerability (CWE-122, CWE-190) in the XBM image decoder function ReadXBMImage within ImageMagick, an open-source software suite for editing and manipulating digital images. The flaw affects versions prior to 7.1.2-13 and 6.9.13-38, allowing an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted XBM image file. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and can be triggered by any ImageMagick operation that reads or identifies an image.
An unauthenticated remote attacker (PR:N) can exploit this vulnerability by supplying a malicious XBM image to a target system running vulnerable ImageMagick, such as through common image upload and processing pipelines in web applications or media handlers. Exploitation requires high attack complexity (AC:H) but can result in high-impact confidentiality, integrity, and availability compromises (C:H/I:H/A:H), potentially enabling arbitrary code execution or system crashes depending on the controlled data written beyond the heap buffer.
Mitigation is provided by upgrading to ImageMagick versions 7.1.2-13 or 6.9.13-38, which include fixes for the issue. The ImageMagick GitHub security advisory (GHSA-r49w-jqq3-3gx8) and the patching commit (2fae24192b78fdfdd27d766fd21d90aeac6ea8b8) offer additional technical details on the resolution.
Details
- CWE(s)