CVE-2026-56367 in ImageMagick
Summary
by MITRE • 06/21/2026
ImageMagick before 7.1.2-15 and 6.9.x before 6.9.13-40 contains an integer overflow in the PSB (PSD v2) RLE decoding path (ReadPSDChannelRLE in coders/psd.c) that causes a heap out-of-bounds read on 32-bit builds. Processing a crafted PSB file can lead to information disclosure or a crash.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/21/2026
The vulnerability resides within ImageMagick's handling of PSB (Photoshop Document v2) files through the ReadPSDChannelRLE function located in the coders/psd.c source file. This integer overflow occurs specifically during RLE (Run-Length Encoding) decoding operations on 32-bit system builds, creating a critical security flaw that can be exploited through maliciously crafted PSB files. The flaw manifests as a heap out-of-bounds read condition that fundamentally compromises memory integrity and system stability.
The technical implementation of this vulnerability stems from improper integer arithmetic handling within the RLE decoding algorithm where insufficient bounds checking allows an attacker to manipulate the decoding process through crafted input data. When processing a malicious PSB file, the application fails to properly validate or constrain integer values during the decompression phase, leading to an overflow that subsequently causes memory access violations. This particular issue affects both the 7.1.2-15 release and 6.9.x versions prior to 6.9.13-40, indicating a long-standing flaw within the software's image processing pipeline. The vulnerability's impact is amplified on 32-bit systems where integer overflow conditions are more readily exploitable due to limited address space and memory constraints.
The operational consequences of this vulnerability extend beyond simple application crashes to include potential information disclosure and system instability. Attackers can leverage this flaw to extract sensitive memory contents through the out-of-bounds read, potentially exposing confidential data, cryptographic keys, or other system information. Additionally, the heap corruption resulting from the overflow can cause unpredictable application behavior, including complete crashes that may be exploited for denial-of-service attacks or potentially more sophisticated exploitation techniques. The vulnerability represents a significant risk to environments where ImageMagick processes untrusted image files, particularly web applications, file processing systems, or automated workflows that handle user-uploaded content.
Mitigation strategies should prioritize immediate patching of affected ImageMagick versions to the fixed releases mentioned in the advisory. Organizations should implement strict file validation procedures that include format checking and size limitations for all incoming image files, particularly those originating from untrusted sources. Network segmentation and application whitelisting can help reduce the attack surface by limiting which systems can process potentially malicious image files. Security monitoring should include detection of unusual memory access patterns or application crashes that may indicate exploitation attempts. The vulnerability aligns with CWE-190, Integer Overflow or Wraparound, and maps to ATT&CK technique T1203, Exploitation for Client Execution, when leveraged in web-based attack scenarios. Regular security audits and penetration testing of image processing workflows should be conducted to identify and remediate similar vulnerabilities in other image handling libraries and applications within the organization's infrastructure.