{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30937", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T16:40:05.885Z", "datePublished": "2026-03-09T21:50:15.495Z", "dateUpdated": "2026-03-10T14:34:52.599Z"}, "containers": {"cna": {"title": "ImageMagick has a heap buffer overflow in WriteXWDImage due to CARD32 arithmetic overflow in bytes_per_line calculation", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qpg4-j99f-8xcg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qpg4-j99f-8xcg"}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"version": ">= 7.0.0, < 7.1.2-16", "status": "affected"}, {"version": "< 6.9.13-41", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T21:50:15.495Z"}, "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a 32-bit unsigned integer overflow in the XWD (X Windows) encoder can cause an undersized heap buffer allocation. When writing a extremely large image an out of bounds heap write can occur. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41."}], "source": {"advisory": "GHSA-qpg4-j99f-8xcg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T14:34:45.797676Z", "id": "CVE-2026-30937", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:34:52.599Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30937", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T14:34:45.797676Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:34:48.846Z"}}], "cna": {"title": "ImageMagick has a heap buffer overflow in WriteXWDImage due to CARD32 arithmetic overflow in bytes_per_line calculation", "source": {"advisory": "GHSA-qpg4-j99f-8xcg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"status": "affected", "version": ">= 7.0.0, < 7.1.2-16"}, {"status": "affected", "version": "< 6.9.13-41"}]}], "references": [{"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qpg4-j99f-8xcg", "name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qpg4-j99f-8xcg", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a 32-bit unsigned integer overflow in the XWD (X Windows) encoder can cause an undersized heap buffer allocation. When writing a extremely large image an out of bounds heap write can occur. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190: Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T21:50:15.495Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30937", "state": "PUBLISHED", "dateUpdated": "2026-03-10T14:34:52.599Z", "dateReserved": "2026-03-07T16:40:05.885Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-09T21:50:15.495Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a 32-bit unsigned integer overflow in the XWD (X Windows) encoder can cause an undersized heap buffer allocation. When writing a extremely large image an out of bounds heap write can occur. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41."}, {"lang": "es", "value": "ImageMagick es un software libre y de c\u00f3digo abierto utilizado para editar y manipular im\u00e1genes digitales. Antes de las versiones 7.1.2-16 y 6.9.13-41, un desbordamiento de entero sin signo de 32 bits en el codificador XWD (X Windows) puede causar una asignaci\u00f3n de b\u00fafer de pila de tama\u00f1o insuficiente. Al escribir una imagen extremadamente grande, puede ocurrir una escritura de pila fuera de l\u00edmites. Esta vulnerabilidad est\u00e1 corregida en 7.1.2-16 y 6.9.13-41."}], "id": "CVE-2026-30937", "lastModified": "2026-03-11T13:53:47.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T07:44:57.840", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qpg4-j99f-8xcg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-190"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "ImageMagick: ImageMagick: Denial of Service via integer overflow in XWD encoder", "id": "2445882", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445882"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in ImageMagick, a software suite for editing and manipulating digital images. An integer overflow vulnerability exists in the XWD (X Windows) encoder when processing extremely large images. This flaw can lead to an undersized memory allocation, resulting in an out-of-bounds write to the heap. A local attacker could exploit this to cause a denial of service (DoS) or potentially impact data integrity."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, restrict ImageMagick's processing of untrusted or excessively large XWD image files. Implement input validation to ensure that image dimensions and sizes are within expected operational limits before processing them with ImageMagick."}, "name": "CVE-2026-30937", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2026-03-09T21:50:15Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-30937\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-30937\nhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qpg4-j99f-8xcg"], "statement": "A MODERATE impact heap buffer overflow exists in ImageMagick's XWD encoder, `WriteXWDImage`. This flaw occurs when processing extremely large images, leading to an undersized heap buffer allocation and a potential out-of-bounds write. Red Hat products shipping ImageMagick are affected if configured to generate or convert excessively large images into the XWD format.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.1.2-16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.9.13-41)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ImageMagick", "source": "cna", "vendor": "ImageMagick"}, "product": "imagemagick", "vendor": "imagemagick"}], "created": "2026-03-10T14:06:41.870522+00:00", "updated": "2026-03-10T14:06:41.870628+00:00", "vendors": ["imagemagick", "imagemagick$PRODUCT$imagemagick"]}