CVE-2026-28693
Published: 10 March 2026
Summary
CVE-2026-28693 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-28693 is an integer overflow vulnerability in the DIB coder of ImageMagick, a free and open-source software suite for editing and manipulating digital images. The flaw affects ImageMagick versions prior to 7.1.2-16 and 6.9.13-41, where improper handling of image data can lead to out-of-bounds read or write operations. It is associated with CWE-125 (Out-of-bounds Read), CWE-190 (Integer Overflow or Wraparound), and CWE-787 (Out-of-bounds Write), and carries a CVSS v3.1 base score of 8.1 (High).
The vulnerability can be exploited remotely over a network by unauthenticated attackers (PR:N) without requiring user interaction (UI:N), though it demands high attack complexity (AC:H) and does not change the scope (S:U). Successful exploitation enables high-impact consequences, including unauthorized disclosure of sensitive information (C:H), modification of data or system integrity (I:H), and denial of service via availability disruption (A:H), such as through memory corruption.
The ImageMagick security advisory at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hffp-q43q-qq76 confirms the issue and states that it is fixed in versions 7.1.2-16 and 6.9.13-41. Security practitioners should update to these patched releases to mitigate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10389
Vulnerability details
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an integer overflow in DIB coder can result in out of bounds read or write. This vulnerability is fixed in 7.1.2-16…
more
and 6.9.13-41.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow in ImageMagick DIB coder enables remote unauthenticated exploitation of public-facing apps (T1190) processing images over the network, with memory corruption directly supporting application DoS via exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching of the integer overflow in ImageMagick's DIB coder, as fixed in versions 7.1.2-16 and 6.9.13-41, to eliminate the vulnerability.
Implements memory protections such as ASLR and DEP to prevent exploitation of out-of-bounds reads/writes caused by the integer overflow in ImageMagick.
Enforces validation and sanitization of image inputs to the DIB coder in ImageMagick to block malformed data triggering the integer overflow.