ANT-2026-T44WA684 · ImageMagick

heap-buffer-overflow high

GHSA-x9h5-r9v2-vcww

Severity Claude high · Security research firm high · Maintainer high

Discovered by Claude Mythos Preview

SECURITY RESEARCH FIRM ANALYSIS

Triage and disclosure were performed by Trail of Bits. The writeup below is the document the firm sent to the maintainer.

Verdict
true positive
Severity
high

A heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image.

TIMELINE

Dates from discovery through public reveal.

  1. 2026-03-29 Reported to tracker
  2. 2026-04-05 Sent to maintainer
  3. 2026-04-05 Maintainer acknowledged
  4. 2026-04-14 Patch released
  5. 2026-05-20 Publicly revealed
PROVENANCE

SHA-3-512 hash:

5fa45f8be9b5ba3482740069c2ecd6a0d4d1fbb393a9703ea83b752adeadfbe879be4bcce09f7bec25c2ec9b8d5fbd9fc9d635817b5554139e5837d55c1f0c7d

Committed 2026-04-05 16:37 PT

Revealed 2026-05-20 00:40 PT

Verify (download preimage.json)

Show preimage JSON 
{
  "ant_id": "ANT-2026-T44WA684",
  "bug_class": "heap-buffer-overflow",
  "claude_severity": "high",
  "commit_sha": null,
  "created_at": "2026-03-29T20:42:59+00:00",
  "description": null,
  "discovered_at": null,
  "location": null,
  "poc_sha256": null,
  "preimage_version": 1,
  "project": "ImageMagick",
  "reproduction": null,
  "technical_details": null,
  "title": "Heap buffer overflow in MVG pattern rendering via CopyMagickString without bounds check",
  "vendor_severity": "high"
}