Heap Over-read in ImageMagick Due to MAT Decoder Arithmetic Flaw
CVE-2026-28692

4.8MEDIUM

Key Information:

Vendor: Imagemagick
Status: Imagemagick
Vendor: CVE Published:; 9 March 2026

🔔 Create Imagemagick Vulnerability Alert

What is CVE-2026-28692?

ImageMagick, a popular open-source software for image manipulation, is susceptible to a vulnerability stemming from the MAT decoder's use of 32-bit arithmetic due to incorrect parenthesization. This flaw can lead to a heap over-read, potentially exposing sensitive information. This issue is remediated in versions 7.1.2-16 and 6.9.13-41, underscoring the importance of upgrading to secure versions to protect against this type of exploit.

Affected Version(s)

ImageMagick >= 7.0.0, < 7.1.2-16 < 7.0.0, 7.1.2-16

ImageMagick < 6.9.13-41 < 6.9.13-41

References

https://github.com/ImageMagick/ImageMagick/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 9, 2026
Vulnerability Reserved
Mar 2, 2026

CVE-2026-28692 Data

JSON