ImageMagick: Heap Buffer Over-Read in IPTC encoder · CVE-2026-42326 · GitHub Advisory Database · GitHub

ImageMagick: Heap Buffer Over-Read in IPTC encoder

Moderate severity GitHub Reviewed Published May 16, 2026 in ImageMagick/ImageMagick • Updated May 18, 2026

Package

Magick.NET-Q16-AnyCPU (NuGet)

Affected versions

< 14.13.1

Patched versions

14.13.1

Magick.NET-Q16-HDRI-AnyCPU (NuGet)

< 14.13.1

14.13.1

Magick.NET-Q16-HDRI-OpenMP-arm64 (NuGet)

< 14.13.1

14.13.1

Magick.NET-Q16-HDRI-OpenMP-x64 (NuGet)

< 14.13.1

14.13.1

Magick.NET-Q16-HDRI-arm64 (NuGet)

< 14.13.1

14.13.1

Magick.NET-Q16-HDRI-x64 (NuGet)

< 14.13.1

14.13.1

Magick.NET-Q16-HDRI-x86 (NuGet)

< 14.13.1

14.13.1

Magick.NET-Q16-OpenMP-arm64 (NuGet)

< 14.13.1

14.13.1

Magick.NET-Q16-OpenMP-x64 (NuGet)

< 14.13.1

14.13.1

Magick.NET-Q16-arm64 (NuGet)

< 14.13.1

14.13.1

Magick.NET-Q16-x64 (NuGet)

< 14.13.1

14.13.1

Magick.NET-Q16-x86 (NuGet)

< 14.13.1

14.13.1

Magick.NET-Q8-AnyCPU (NuGet)

< 14.13.1

14.13.1

Magick.NET-Q8-OpenMP-arm64 (NuGet)

< 14.13.1

14.13.1

Magick.NET-Q8-OpenMP-x64 (NuGet)

< 14.13.1

14.13.1

Magick.NET-Q8-arm64 (NuGet)

< 14.13.1

14.13.1

Magick.NET-Q8-x64 (NuGet)

< 14.13.1

14.13.1

Magick.NET-Q8-x86 (NuGet)

< 14.13.1

14.13.1

Description

When writing an IPTC output file a malicious input file could cause an out of bounds read of a single byte.

References

GHSA-7wff-wpr6-vmhm

dlemstra published to ImageMagick/ImageMagick

May 16, 2026

Published to the GitHub Advisory Database May 18, 2026

Reviewed May 18, 2026

Last updated May 18, 2026

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Local

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

Low

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Weaknesses

CWE-125

Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer. Learn more on MITRE.

CWE-191

Integer Underflow (Wrap or Wraparound)

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. Learn more on MITRE.