Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-49 and 7.1.2-24, a crafted MVG file could result in a stack overflow due to a missing depth or visited-set check. This issue has been patched in versions 6.9.13-49 and 7.1.2-24.
Published: 2026-06-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A crafted MVG image can trigger a stack overflow in ImageMagick’s decoder due to a missing depth or visited‑set check. This flaw may corrupt stack memory, potentially causing a crash or further memory corruption that could lead to denial of service or, in rare cases, arbitrary code execution. The vulnerability is a form of unchecked input used to compute buffer size, as indicated by CWE‑674.

Affected Systems

ImageMagick, ImageMagick governs all versions of the software. Any installation running a version older than 6.9.13‑49 or 7.1.2‑24 is vulnerable; these earlier releases lack the patch that adds the missing depth or visited‑set validation.

Risk and Exploitability

The CVSS score of 5.5 reflects moderate severity, mainly associated with resource depletion rather than privilege escalation. The EPSS score is 0.00013, indicating a very low but non-zero probability of exploitation, and the flaw is not listed in CISA KEV, implying no known widespread exploitation. The likely attack vector is when an application or system processes an attacker‑crafted MVG file—this could be invoked via a file upload endpoint or batch image processing pipeline. Given the moderate risk and potential for denial of service, users should prioritize remediation.

Generated by OpenCVE AI on June 12, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ImageMagick to at least 6.9.13‑49 or 7.1.2‑24, or any later release that includes the patch
  • Verify that the application environment restricts or sanitizes image uploads to prevent delivery of malicious MVG files
  • After updating, ensure that the image processing components are using the latest binary and that configuration settings do not enable deprecated or unsafe codecs

Generated by OpenCVE AI on June 12, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4643-1 imagemagick security update
Debian DSA Debian DSA DSA-6356-1 imagemagick security update
Github GHSA Github GHSA GHSA-h36c-3666-h489 ImageMagick Vulnerable to Stack Overflow in its MVG Decoder
History

Fri, 12 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 11 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 10 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-49 and 7.1.2-24, a crafted MVG file could result in a stack overflow due to a missing depth or visited-set check. This issue has been patched in versions 6.9.13-49 and 7.1.2-24.
Title ImageMagick: Stack Overflow in MVG decoder
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}


Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T12:44:08.125Z

Reserved: 2026-05-22T19:10:35.746Z

Link: CVE-2026-48734

cve-icon Vulnrichment

Updated: 2026-06-11T12:44:01.065Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T23:16:49.220

Modified: 2026-06-11T18:44:38.903

Link: CVE-2026-48734

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-10T21:55:59Z

Links: CVE-2026-48734 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T02:00:12Z

Weaknesses
  • CWE-674

    Uncontrolled Recursion

  • CWE-770

    Allocation of Resources Without Limits or Throttling