CVE-2026-30936: ImageMagick has Heap Buffer Overflow in WaveletDenoiseImage

March 12, 2026

A crafted image could cause an out of bounds heap write inside the WaveletDenoiseImage method. When processing a crafted image with the -wavelet-denoise operation an out of bounds write can occur.

=================================================================
==661320==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x503000002754 at pc 0x5ff45f82c92a bp 0x7fffb732b400 sp 0x7fffb732b3f0
WRITE of size 4 at 0x503000002754 thread T0

References

github.com/ImageMagick/ImageMagick
github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5ggv-92r5-cp4p
github.com/advisories/GHSA-5ggv-92r5-cp4p
github.com/dlemstra/Magick.NET/releases/tag/14.10.4
nvd.nist.gov/vuln/detail/CVE-2026-30936

Code Behaviors & Features

Detect and mitigate CVE-2026-30936 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →