CVE-2026-46521: ImageMagick: Heap Buffer Over-Write in MIFF encoder when using LZMA compression

May 18, 2026 (updated June 11, 2026)

When using LZMA compression in the MIFF encoder an out of bounds write can occur due to a missing check.

References

github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jcqp-6r6f-3mfx
github.com/advisories/GHSA-jcqp-6r6f-3mfx
nvd.nist.gov/vuln/detail/CVE-2026-46521

Code Behaviors & Features

Detect and mitigate CVE-2026-46521 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →