CVE-2026-32636
Published: 18 March 2026
Summary
CVE-2026-32636 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of known software flaws like the out-of-bounds write bug in ImageMagick's NewXMLTree method that leads to denial-of-service crashes.
Mandates vulnerability scanning to identify systems running vulnerable ImageMagick versions prior to 7.1.2-17 or 6.9.13-42.
Ensures monitoring and implementation of security advisories for vulnerabilities such as CVE-2026-32636 in ImageMagick.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network-reachable out-of-bounds write in ImageMagick enables denial-of-service via application crash when the library is used by a public-facing service (T1190); the direct impact is application or system exploitation resulting in endpoint DoS (T1499.004).
NVD Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-17 and 6.9.13-42, the NewXMLTree method contains a bug that could result in a crash due to an out of write bounds of a single…
more
zero byte. Versions 7.1.2-17 and 6.9.13-42 fix the issue.
Deeper analysisAI
CVE-2026-32636 is a vulnerability in ImageMagick, a free and open-source software suite for editing and manipulating digital images. The issue resides in the NewXMLTree method, where a bug allows an out-of-bounds write of a single zero byte, potentially leading to a crash. It affects ImageMagick versions prior to 7.1.2-17 and 6.9.13-42.
The vulnerability has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating it is exploitable over the network with low attack complexity, requiring no privileges or user interaction. An unauthenticated attacker can trigger the out-of-bounds write remotely, resulting in denial-of-service through application crashes, with no impact on confidentiality or integrity.
ImageMagick advisories recommend upgrading to version 7.1.2-17 or 6.9.13-42, which address the bug. Relevant GitHub releases and security advisories detail the fixes, including updates for related projects like Magick.NET version 14.11.0.
Details
- CWE(s)