Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow vulnerability exists in the MNG encoder. There is a bounds checks missing that could corrupting the stack with attacker-controlled data. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Published: 2026-03-09
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stack Buffer Overflow that can lead to arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

ImageMagick implements an MNG encoder with missing bounds checks that can corrupt the stack with attacker-controlled data. The flaw is a classic stack buffer overflow (CWE‑121) and, if successfully exploited, could allow an attacker to execute arbitrary code on a system where ImageMagick processes the vulnerable image. The official description notes the potential for stack corruption but does not specify confirmed remote code execution, so the impact is inferred as a possibility to compromise confidentiality, integrity, and availability by executing code with the privileges of the ImageMagick process.

Affected Systems

ImageMagick versions older than 7.1.2‑16 and 6.9.13‑41 are affected. The vulnerability exists in the core ImageMagick software used for image editing and manipulation, and any deployment that relies on older releases is at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score shows a very low but nonzero likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the ability to process a crafted MNG image; therefore the most likely attack vector is via an application or service that accepts image input (e.g., a web server or media processing pipeline) and runs ImageMagick with it. This insight is inferred from the nature of the vulnerability, as the description does not explicitly state an attack vector.

Generated by OpenCVE AI on April 18, 2026 at 09:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑16, 6.9.13‑41, or later to apply the official fix
  • If upgrading is not immediately possible, configure your application or environment to reject or block MNG files from untrusted sources, or otherwise limit the input fed to ImageMagick
  • Consider substituting ImageMagick with an alternative image processing library that does not support the vulnerable MNG encoder for environments where upgrade cannot be performed

Generated by OpenCVE AI on April 18, 2026 at 09:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4539-1 imagemagick security update
Debian DSA Debian DSA DSA-6169-1 imagemagick security update
Debian DSA Debian DSA DSA-6210-1 imagemagick security update
Github GHSA Github GHSA GHSA-7h7q-j33q-hvpf ImageMagick has stack write buffer overflow in MNG encoder
History

Wed, 11 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 10 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Mon, 09 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow vulnerability exists in the MNG encoder. There is a bounds checks missing that could corrupting the stack with attacker-controlled data. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Title ImageMagick has a stack write buffer overflow in MNG encoder
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 6.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T15:58:15.300Z

Reserved: 2026-03-02T21:43:19.927Z

Link: CVE-2026-28690

cve-icon Vulnrichment

Updated: 2026-03-10T15:58:12.348Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T07:43:44.127

Modified: 2026-03-11T17:32:13.573

Link: CVE-2026-28690

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-09T21:39:53Z

Links: CVE-2026-28690 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:45:25Z

Weaknesses