ImageMagick is vulnerable to heap buffer over-write on 32-bit systems in SFW decoder · CVE-2026-31853 · GitHub Advisory Database · GitHub

ImageMagick is vulnerable to heap buffer over-write on 32-bit systems in SFW decoder

Moderate severity GitHub Reviewed Published Mar 10, 2026 in ImageMagick/ImageMagick • Updated Mar 19, 2026

Package

Magick.NET-Q16-AnyCPU (NuGet)

Affected versions

< 14.10.4

Patched versions

14.10.4

Magick.NET-Q16-HDRI-AnyCPU (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-HDRI-OpenMP-arm64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-HDRI-OpenMP-x64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-HDRI-arm64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-HDRI-x64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-HDRI-x86 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-OpenMP-arm64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-OpenMP-x64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-OpenMP-x86 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-arm64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-x64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-x86 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q8-AnyCPU (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q8-OpenMP-arm64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q8-OpenMP-x64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q8-arm64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q8-x64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q8-x86 (NuGet)

< 14.10.4

14.10.4

Description

An overflow on 32-bit systems can cause a crash in the SFW decoder when processing extremely large images.

References

dlemstra published to ImageMagick/ImageMagick

Mar 10, 2026

Published to the GitHub Advisory Database Mar 10, 2026

Reviewed Mar 10, 2026

Published by the National Vulnerability Database

Mar 11, 2026

Last updated Mar 19, 2026

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Local

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H