CVE-2026-27798 – ImageMagick versions prior to 7.1.2-15 and 6.9.... (How to Fix)

Q: How do I fix CVE-2026-27798?

1. Update ImageMagick to version 7.1.2-15 or 6.9.13-40 or later. 2. For Magick.NET users, update to version 14.10.3 or later. 3. Restart any services or applications using ImageMagick.

Q: What is the severity of CVE-2026-27798?

CVE-2026-27798 has a CVSS score of 4.0 (MEDIUM). ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 contain a heap buffer over-read vulnerability when processing images with small dimensions using the -wavelet-denoise operator. This could allow attackers to read sensitive memory contents or cause denial of service. Users and applications that process untrusted images with ImageMagick are affected.

📋 TL;DR

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 contain a heap buffer over-read vulnerability when processing images with small dimensions using the -wavelet-denoise operator. This could allow attackers to read sensitive memory contents or cause denial of service. Users and applications that process untrusted images with ImageMagick are affected.

💻 Affected Systems

Products:

ImageMagick
Magick.NET
Any software using vulnerable ImageMagick libraries

Versions: ImageMagick < 7.1.2-15, < 6.9.13-40

Operating Systems: All platforms where ImageMagick runs (Linux, Windows, macOS, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects usage of the -wavelet-denoise operator on images with small dimensions. Many applications may not use this specific operator.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure through memory leakage, potentially exposing sensitive data like credentials or encryption keys, or application crash leading to denial of service.

🟠

Likely Case

Application instability or crash when processing specially crafted images with the wavelet-denoise operator, causing denial of service.

🟢

If Mitigated

Minimal impact if proper input validation and sandboxing are implemented, with crashes contained to isolated processes.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious image file and triggering the vulnerable operator. No public exploits have been reported.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ImageMagick 7.1.2-15, 6.9.13-40

Vendor Advisory: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qpgx-jfcq-r59f

Restart Required: Yes

Instructions:

1. Update ImageMagick to version 7.1.2-15 or 6.9.13-40 or later. 2. For Magick.NET users, update to version 14.10.3 or later. 3. Restart any services or applications using ImageMagick.

🔧 Temporary Workarounds

Disable wavelet-denoise operator

all

Prevent usage of the vulnerable -wavelet-denoise operator in ImageMagick configurations

Edit ImageMagick policy.xml to add: <policy domain="coder" rights="none" pattern="WAVELET_DENOISE" />

Input validation

all

Reject or sanitize image files with extremely small dimensions before processing

Implement pre-processing checks to ensure image dimensions meet minimum thresholds

🧯 If You Can't Patch

Implement strict input validation to reject images with suspiciously small dimensions
Sandbox ImageMagick processes to limit potential impact of crashes or memory leaks

🔍 How to Verify

Check if Vulnerable:

Check ImageMagick version with: convert --version | grep Version

Check Version:

convert --version

Verify Fix Applied:

Verify version is 7.1.2-15/6.9.13-40 or later, or test with a known problematic image using wavelet-denoise

📡 Detection & Monitoring

Log Indicators:

ImageMagick process crashes or segmentation faults
Unusual memory access patterns in application logs

Network Indicators:

Uploads of image files followed by application instability

SIEM Query:

source="*imagick*" AND (event="segfault" OR event="crash")

📊 Metadata

CVE ID: CVE-2026-27798

CVSS v3 Score: 4.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-125

Published: February 26, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/ImageMagick/ImageMagick/commit/0377e60b3c0d766bd7271221c95d9ee54f6a3738 Patch
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qpgx-jfcq-r59f Vendor Advisory
https://github.com/dlemstra/Magick.NET/releases/tag/14.10.3 Product,Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27798, you might also want to check these: