Cyber Resilience

CVE-2026-27798

Medium

Published: 26 February 2026

Published
26 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0002 4.2th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27798 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 4.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27798 is a heap buffer over-read vulnerability in ImageMagick, a free and open-source software suite for editing and manipulating digital images. The flaw affects versions prior to 7.1.2-15 and 6.9.13-40, manifesting when processing an image with small dimensions using the `-wavelet-denoise` operator. It is classified under CWE-125 (Out-of-bounds Read) and CWE-126 (Buffer Over-read), with a CVSS v3.1 base score of 4.0 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A local attacker can exploit this vulnerability with low attack complexity, requiring no privileges or user interaction. Exploitation allows limited disclosure of confidential information from the heap memory, without impacting integrity or availability, due to the unchanged scope.

Patched versions 7.1.2-15 and 6.9.13-40 of ImageMagick address the issue, as detailed in the project's GitHub security advisory GHSA-qpgx-jfcq-r59f and fixing commit 0377e60b3c0d766bd7271221c95d9ee54f6a3738. Magick.NET release 14.10.3 also incorporates the fix for affected integrations.

EU & UK References

Vulnerability details

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability occurs when processing an image with small dimension using the `-wavelet-denoise` operator. Versions 7.1.2-15 and 6.9.13-40…

more

contain a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Heap over-read enables direct local memory data access on the system when the specific ImageMagick operator is invoked.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23952Same product: Dlemstra Magick.Net
CVE-2026-24485Same product: Dlemstra Magick.Net
CVE-2026-25965Same product: Imagemagick Imagemagick
CVE-2026-33905Same product: Imagemagick Imagemagick
CVE-2026-24481Same product: Imagemagick Imagemagick
CVE-2026-25898Same product: Imagemagick Imagemagick
CVE-2026-25987Same product: Imagemagick Imagemagick
CVE-2026-26284Same product: Imagemagick Imagemagick
CVE-2026-28693Same product: Imagemagick Imagemagick
CVE-2026-25897Same product: Imagemagick Imagemagick

Affected Assets

imagemagick
imagemagick
≤ 6.9.13-40 · 7.0.0-0 — 7.1.2-15
dlemstra
magick.net
≤ 14.10.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the patches in 7.1.2-15 / 6.9.13-40 that close the wavelet-denoise heap over-read.

detect

Requires scanning to discover installations of the vulnerable ImageMagick versions before an attacker can exploit the local over-read.

prevent

Enforces configuration settings that restrict or replace the affected ImageMagick binary / operator set with approved versions.

References