Apr 13, 2026·5 min read·31 visits
A 32-bit integer overflow in ImageMagick's despeckle filter leads to an undersized heap allocation and subsequent out-of-bounds write.
ImageMagick versions prior to 7.1.2-19 and 6.9.13-44 contain an integer overflow vulnerability in the DespeckleImage function. When processing maliciously crafted images on 32-bit architectures, this flaw causes a heap-based buffer overflow, leading to process crashes and potentially arbitrary code execution.
ImageMagick is a widely deployed open-source software suite responsible for parsing, manipulating, and converting digital images. The suite exposes a broad attack surface due to the complexity of image format specifications and algorithmic manipulations. Vulnerability CVE-2026-34238 affects the despeckle operation in ImageMagick versions prior to 7.1.2-19 and 6.9.13-44.
The vulnerability is fundamentally an integer overflow (CWE-190) that directly leads to an out-of-bounds write (CWE-787) on the heap. Specifically, the flaw exists within the DespeckleImage function, which calculates the required buffer size based on user-supplied image dimensions.
When processed on 32-bit architectures, the arithmetic operation used to determine memory allocation size can wrap around. This results in an undersized heap allocation. Subsequent pixel processing loops use the original, non-wrapped dimension values, causing uncontrolled memory corruption during pixel manipulation.
The root cause of CVE-2026-34238 resides in MagickCore/effect.c. The DespeckleImage function relies on the image->columns and image->rows attributes, which represent the width and height of the target image. To apply the despeckle filter, the algorithm requires a padded buffer, adding 2 to both dimensions before multiplying them to determine the total pixel count.
On 32-bit systems, the variable designated to store this total size is a 32-bit size_t. The maximum representable value is 4,294,967,295. The calculation executes (image->columns + 2) * (image->rows + 2). If an attacker constructs an image where both dimensions approach 65,534, the multiplication results in 4,294,967,296.
Because the result exceeds the 32-bit limit, the integer wraps around to a value near zero. The AcquireVirtualMemory function receives this undersized length argument and successfully allocates a correspondingly small heap buffer. The despeckle algorithm then iterates over the full original dimensions, writing pixel data far past the boundaries of the allocated heap chunk.
Analyzing the vulnerable implementation highlights the lack of pre-condition bounds checking before the arithmetic operation. The original code unconditionally performs the addition and multiplication in a single statement, directly casting to size_t.
/* Vulnerable MagickCore/effect.c */
MagickExport Image *DespeckleImage(const Image *image, ExceptionInfo *exception)
{
/* ... */
/* Allocate image buffer. Vulnerability occurs here. */
length = (size_t)((image->columns + 2) * (image->rows + 2));
pixel_info = AcquireVirtualMemory(length, sizeof(*pixels));
/* ... */
}The upstream patch (commit bcd8519c70ecd9ebbc180920f2cf97b267d1f440) introduces a boundary check for the + 2 operation, comparing the raw columns and rows against MAGICK_SIZE_MAX - 2.
/* Patched MagickCore/effect.c */
if ((image->columns > (MAGICK_SIZE_MAX-2)) ||
(image->rows > (MAGICK_SIZE_MAX-2)))
{
despeckle_image=DestroyImage(despeckle_image);
ThrowImageException(ResourceLimitError,"MemoryAllocationFailed");
}
length=(image->columns+2)*(image->rows+2);This patch only prevents the addition from overflowing. It does not validate the result of the multiplication. On a 32-bit target, supplying dimensions of 65,534 passes the MAGICK_SIZE_MAX - 2 check. The subsequent multiplication (65534 + 2) * (65534 + 2) still results in an overflow. This indicates the fix is incomplete, and variant attacks remain mathematically viable.
Exploitation requires the attacker to supply a maliciously crafted image to an application utilizing a vulnerable, 32-bit compiled version of ImageMagick. The attacker embeds specific structural dimensions within the image header to manipulate the columns and rows values parsed by the library.
When the application triggers the DespeckleImage function, the integer overflow occurs. This trigger often happens via explicit command-line flags (-despeckle) or automated backend image processing pipelines that apply noise-reduction algorithms. The application allocates the undersized heap chunk.
As the memory corruption triggers an out-of-bounds write of pixel data, the attacker overwrites adjacent heap metadata or application data structures. The precise exploitation sequence depends on the underlying heap allocator and the exact layout of memory at the time of the crash. AddressSanitizer logs from the initial disclosure explicitly confirm an 8-byte out-of-bounds write during this phase.
The immediate impact of triggering CVE-2026-34238 is a denial-of-service (DoS) condition. As the out-of-bounds write corrupts critical heap metadata, the application process will eventually fault and terminate. This results in high availability impact (A:H) per the CVSS v3.1 vector.
While the CVSS scoring designates confidentiality and integrity impact as none (C:N, I:N), controlled heap buffer overflows inherently introduce the risk of arbitrary code execution. An attacker capable of grooming the heap to place a target function pointer or object adjacent to the undersized allocation could hijack control flow.
Exploiting this condition for code execution requires precise memory alignment and bypassed exploit mitigations (ASLR, DEP). The complexity is marked as high (AC:H) specifically due to the strict 32-bit architectural requirement and the intricacies of heap layout grooming via an image processing pipeline.
Organizations must apply the upstream patches by upgrading ImageMagick to versions 7.1.2-19 or 6.9.13-44. Development teams utilizing the Magick.NET bindings must update their NuGet package dependencies to version 14.12.0 or later to ensure the compiled libraries incorporate the patched binaries.
In environments where immediate patching is unfeasible, administrators should implement strict boundary controls via the ImageMagick policy.xml configuration file. By globally restricting the maximum allowable width and height, the parsing engine will reject structurally oversized images before the DespeckleImage function calculates memory requirements.
The recommended policy explicitly limits the width and height resources to 16KP (16,000 pixels). This upper bound is sufficiently low to prevent the integer multiplication from approaching the 32-bit maximum limit of 4,294,967,295, successfully mitigating the overflow condition prior to the vulnerable function call.
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
ImageMagick (v7) ImageMagick | < 7.1.2-19 | 7.1.2-19 |
ImageMagick (v6) ImageMagick | < 6.9.13-44 | 6.9.13-44 |
Magick.NET dlemstra | < 14.12.0 | 14.12.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-190 |
| CVSS Base Score | 5.1 |
| Attack Vector | Local (AV:L) |
| Impact | High Availability (A:H) |
| Attack Complexity | High (AC:H) |
| Privileges Required | None (PR:N) |
An integer overflow or wraparound occurs when an integer value is incremented to a value that is too large to store in the associated representation.
An authentication bypass in the SiYuan personal knowledge management system before version 3.7.0 exposes a dynamic icon rendering endpoint. This endpoint processes client-supplied Go template directives. By submitting a crafted request, an unauthenticated remote attacker can leverage registered database template functions to execute arbitrary read-only SQL queries and exfiltrate workspace contents.
CVE-2026-54069 is a critical authentication bypass vulnerability in the SiYuan Note personal knowledge management system. The flaw is located in the HTTP server's middleware handling API authorization, which unconditionally trusts requests carrying a 'chrome-extension://' scheme in the Origin HTTP header, granting administrative access without validating API tokens.
CVE-2026-54089 is a critical authentication bypass vulnerability in File Browser affecting instances configured with proxy-based authentication. An unauthenticated remote attacker with direct network access can impersonate arbitrary users or register new accounts by spoofing configured HTTP headers.
The malicious Cargo package 'exploration' was uploaded to the crates.io registry. During compilation or package import, the crate executes code designed to establish an outbound TCP/HTTP connection, download an external second-stage binary, and execute the binary locally on the host machine. This creates an unauthenticated remote code execution vector impacting developer environments and continuous integration pipelines.
CVE-2026-54088 is a critical command injection vulnerability in File Browser prior to version 2.63.6. When Hook Authentication is enabled, the application interpolates unsanitized credentials into a shell command, allowing unauthenticated remote code execution.
An authenticated remote code execution vulnerability exists in NotrinosERP (versions up to and including 1.0.0) within the Human Resource Management (HRM) module. Users with employee management permissions can upload arbitrary file types, including PHP scripts, which are written directly to a web-accessible directory. This allows for arbitrary code execution in the context of the web-server user.