Fluid Attacks Database

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
nuget	magick.net-q16-anycpu	>=0 <14.12.0	14.12.0
nuget	magick.net-q16-hdri-anycpu	>=0 <14.12.0	14.12.0
nuget	magick.net-q16-hdri-x86	>=0 <14.12.0	14.12.0
nuget	magick.net-q16-x86	>=0 <14.12.0	14.12.0
nuget	magick.net-q8-anycpu	>=0 <14.12.0	14.12.0
nuget	magick.net-q8-x86	>=0 <14.12.0	14.12.0
debian 12	imagemagick	=8:6.9.11.60+dfsg-1.6 \|\| =8:6.9.11.60+dfsg-1.6+deb12u1 \|\| =8:6.9.11.60+dfsg-1.6+deb12u2 \|\| =8:6.9.11.60+dfsg-1.6+deb12u3 \|\| =8:6.9.11.60+dfsg-1.6+deb12u4 \|\| =8:6.9.11.60+dfsg-1.6+deb12u5 \|\| =8:6.9.11.60+dfsg-1.6+deb12u6 \|\| =8:6.9.11.60+dfsg-1.6+deb12u7 \|\| =8:6.9.11.60+dfsg-1.6+deb12u8 \|\| >=0 <8:6.9.11.60+dfsg-1.6+deb12u9	8:6.9.11.60+dfsg-1.6+deb12u9
debian 13	imagemagick	=8:7.1.1.43+dfsg1-1 \|\| =8:7.1.1.43+dfsg1-1+deb13u1 \|\| =8:7.1.1.43+dfsg1-1+deb13u2 \|\| =8:7.1.1.43+dfsg1-1+deb13u3 \|\| =8:7.1.1.43+dfsg1-1+deb13u4 \|\| =8:7.1.1.43+dfsg1-1+deb13u5 \|\| =8:7.1.1.43+dfsg1-1+deb13u6 \|\| =8:7.1.1.43+dfsg1-1+deb13u7 \|\| >=0 <8:7.1.1.43+dfsg1-1+deb13u8	8:7.1.1.43+dfsg1-1+deb13u8
debian 14	imagemagick	=8:7.1.1.43+dfsg1-1 \|\| =8:7.1.1.46+dfsg1-1 \|\| =8:7.1.1.47+dfsg1-1 \|\| =8:7.1.1.47+dfsg1-2 \|\| =8:7.1.2.1+dfsg1-1 \|\| =8:7.1.2.12+dfsg1-1 \|\| =8:7.1.2.13+dfsg1-1 \|\| =8:7.1.2.15+dfsg1-1 \|\| =8:7.1.2.15+dfsg1-2 \|\| =8:7.1.2.16+dfsg1-1 \|\| =8:7.1.2.18+dfsg1-1 \|\| =8:7.1.2.3+dfsg1-1 \|\| =8:7.1.2.7+dfsg1-1 \|\| =8:7.1.2.8+dfsg1-1 \|\| >=0 <8:7.1.2.19+dfsg1-1	8:7.1.2.19+dfsg1-1
debian 11	imagemagick	=8:6.9.11.60+dfsg-1.3 \|\| =8:6.9.11.60+dfsg-1.3+deb11u1 \|\| =8:6.9.11.60+dfsg-1.3+deb11u10 \|\| =8:6.9.11.60+dfsg-1.3+deb11u11 \|\| =8:6.9.11.60+dfsg-1.3+deb11u2 \|\| =8:6.9.11.60+dfsg-1.3+deb11u3 \|\| =8:6.9.11.60+dfsg-1.3+deb11u4 \|\| =8:6.9.11.60+dfsg-1.3+deb11u5 \|\| =8:6.9.11.60+dfsg-1.3+deb11u6 \|\| =8:6.9.11.60+dfsg-1.3+deb11u7 \|\| =8:6.9.11.60+dfsg-1.3+deb11u8 \|\| =8:6.9.11.60+dfsg-1.3+deb11u9 \|\| >=0 <8:6.9.11.60+dfsg-1.3+deb11u12	8:6.9.11.60+dfsg-1.3+deb11u12

1-10 of 12

Aliases

1. CVE-2026-339002. NVD-2026-339003. OSV-2026-339004. OSV-DEBIAN-2026-339005. GHSA-v67w-737x-v2c96. GCVE-2026-339007. SECURITY-TRACKER-CVE-2026-33900

References

1. https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v67w-737x-v2c92. https://github.com/ImageMagick/ImageMagick/commit/d27b840a61b322419a66d0d192ff56d52498148d3. https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-194. https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0