ImageMagick has uninitialized pointer dereference in JBIG decoder · CVE-2026-28691 · GitHub Advisory Database · GitHub

ImageMagick has uninitialized pointer dereference in JBIG decoder

High severity GitHub Reviewed Published Mar 9, 2026 in ImageMagick/ImageMagick • Updated Mar 12, 2026

Package

Magick.NET-Q16-AnyCPU (NuGet)

Affected versions

< 14.10.4

Patched versions

14.10.4

Magick.NET-Q16-HDRI-AnyCPU (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-HDRI-OpenMP-arm64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-HDRI-OpenMP-x64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-HDRI-arm64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-HDRI-x64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-HDRI-x86 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-OpenMP-arm64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-OpenMP-x64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-OpenMP-x86 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-arm64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-x64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q16-x86 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q8-AnyCPU (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q8-OpenMP-arm64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q8-OpenMP-x64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q8-arm64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q8-x64 (NuGet)

< 14.10.4

14.10.4

Magick.NET-Q8-x86 (NuGet)

< 14.10.4

14.10.4

Description

An uninitialized pointer dereference vulnerability exists in the JBIG decoder due to a missing check.

References

dlemstra published to ImageMagick/ImageMagick

Mar 9, 2026

Published by the National Vulnerability Database

Mar 10, 2026

Published to the GitHub Advisory Database Mar 12, 2026

Reviewed Mar 12, 2026

Last updated Mar 12, 2026

Severity

High

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H