Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Published: 2026-03-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Stack buffer overflow leading to potential arbitrary code execution via malformed morphology kernels
Action: Immediate Patch
AI Analysis

Impact

ImageMagick parses morphology kernel strings into fixed-size stack buffers without bounds checking. When a user provides a kernel name or array longer than the buffer, the data is copied by memcpy, corrupting the stack. Stack corruption can overwrite control data and allow an attacker to execute arbitrary code, potentially compromising the system or application using ImageMagick.

Affected Systems

ImageMagick installations older than version 7.1.2-16 or 6.9.13-41 are affected. Any deployment that processes untrusted image data with morphology operations and runs a vulnerable version of ImageMagick is at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1 and an EPSS score of less than 1 %, indicating a moderate to high severity but a low likelihood of exploitation. It is not listed in CISA’s KEV catalog. Exploitation would require an attacker to supply a crafted image that includes a long morphology kernel name or array, so the most plausible attack vector is the processing of untrusted image files. Successful exploitation could lead to arbitrary code execution or application crashes.

Generated by OpenCVE AI on April 17, 2026 at 11:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2-16 or 6.9.13-41, which contain the fix
  • If an update is not immediately possible, restrict image uploads to trusted sources and disable or filter morphologic operations on untrusted content
  • Apply the latest security patches from the upstream repository and monitor vendor advisories for future fixes

Generated by OpenCVE AI on April 17, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4539-1 imagemagick security update
Debian DSA Debian DSA DSA-6169-1 imagemagick security update
Debian DSA Debian DSA DSA-6210-1 imagemagick security update
Github GHSA Github GHSA GHSA-932h-jw47-73jm ImageMagick vulnerable to stack corruption through long morphology kernel names or arrays
History

Thu, 12 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Mon, 09 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Title ImageMagick affected by stack corruption through long morphology kernel names or arrays
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:41:51.357Z

Reserved: 2026-02-27T20:57:47.708Z

Link: CVE-2026-28494

cve-icon Vulnrichment

Updated: 2026-03-10T14:41:45.791Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T07:43:40.040

Modified: 2026-03-12T15:18:08.087

Link: CVE-2026-28494

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-09T21:31:36Z

Links: CVE-2026-28494 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:00:11Z

Weaknesses