Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-23, due to a missing depth check a stack overflow can occur in the fx operation by passing a crafted argument. This issue has been patched in version 7.1.2-23.
Published: 2026-06-10
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises from a missing depth check in ImageMagick's fx operation. A crafted argument can trigger a stack overflow, potentially corrupting memory. The resulting memory corruption could lead to an application crash or, in some contexts, arbitrary code execution if the overwritten data controls execution flow. The weakness is classified as CWE‑120: Buffer Overflow and CWE‑674: Integer or Buffer Overflow.

Affected Systems

ImageMagick software, version 7.x prior to 7.1.2-23. The patch was released in version 7.1.2-23.

Risk and Exploitability

The CVSS score of 6.2 indicates a moderate risk. The EPSS score is less than 1%, suggesting a low probability that this vulnerability will be actively exploited in the near term. This vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require the attacker to supply a malicious image to a system running an unpatched ImageMagick instance. Because the flaw resides in a stack‑based buffer, the attack vector is inferred to be local or through a remote service that processes images without proper input validation.

Generated by OpenCVE AI on June 13, 2026 at 01:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2-23 or later.
  • If an immediate upgrade is not possible, disable the fx operation or restrict its use to trusted inputs only.
  • Validate image depth and size before processing to mitigate potential overflows.

Generated by OpenCVE AI on June 13, 2026 at 01:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Github GHSA Github GHSA GHSA-rcr6-g7jc-f57g ImageMagick: Stack overflow in fx operation
History

Thu, 25 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 13 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

threat_severity

Low


Thu, 11 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Wed, 10 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-23, due to a missing depth check a stack overflow can occur in the fx operation by passing a crafted argument. This issue has been patched in version 7.1.2-23.
Title ImageMagick: Stack overflow in fx operation
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T15:53:54.555Z

Reserved: 2026-05-14T20:42:31.369Z

Link: CVE-2026-46557

cve-icon Vulnrichment

Updated: 2026-06-11T12:44:49.465Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T23:16:47.037

Modified: 2026-06-11T18:42:12.863

Link: CVE-2026-46557

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-10T21:44:40Z

Links: CVE-2026-46557 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T02:00:08Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • CWE-674

    Uncontrolled Recursion