Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, a missing check in the DCM decoder could result in an image with invalid dimensions and that could cause crashes in other operation. This issue has been patched in versions 6.9.13-48 and 7.1.2-24.
Published: 2026-06-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick’s DCM decoder lacks a validation step that can produce an image with invalid dimensions. When such an image is processed, the missing check can trigger crashes in dependent operations, disrupting the availability of the software and any services that rely on it. The weakness is an input validation flaw, which is classified as CWE‑20 and CWE‑1284.

Affected Systems

The affected product is ImageMagick from the ImageMagick project. Vulnerable builds are any versions earlier than 6.9.13‑48 and 7.1.2‑24. The security advisory confirms that these releases have been patched in 6.9.13‑48 and 7.1.2‑24 respectively.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score of 0.00263 indicates a very low but nonzero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower likelihood of widespread exploitation at present. The likely attack vector is the supply of a crafted DCM image through any interface that invokes the decoder, such as image upload endpoints or import functions. Exploitation would lead to a crash rather than arbitrary code execution, and no additional conditions are asserted in the advisory.

Generated by OpenCVE AI on June 18, 2026 at 14:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ImageMagick to version 6.9.13‑48 or later, or 7.1.2‑24 or later, as the replacement includes the missing validation check.
  • If an upgrade is not immediately feasible, configure the ImageMagick policy to disable the DCM decoder or restrict its use to trusted image sources.
  • Review custom applications that ingest images to ensure they validate image dimensions before processing and consider isolating image handling in a controlled environment.

Generated by OpenCVE AI on June 18, 2026 at 14:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4643-1 imagemagick security update
Debian DSA Debian DSA DSA-6356-1 imagemagick security update
Github GHSA Github GHSA GHSA-8pj9-6897-74xc ImageMagick: Policy Bypass in DCM decoder could result in image with invalid dimensions
History

Wed, 17 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

threat_severity

Important


Thu, 11 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Thu, 11 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 10 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, a missing check in the DCM decoder could result in an image with invalid dimensions and that could cause crashes in other operation. This issue has been patched in versions 6.9.13-48 and 7.1.2-24.
Title ImageMagick: Policy Bypass in DCM decoder could result in image with invalid dimensions
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T12:09:56.308Z

Reserved: 2026-05-28T03:42:34.341Z

Link: CVE-2026-49218

cve-icon Vulnrichment

Updated: 2026-06-30T03:16:11.921Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T23:16:49.500

Modified: 2026-06-11T18:44:28.637

Link: CVE-2026-49218

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-10T21:59:04Z

Links: CVE-2026-49218 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:30:15Z

Weaknesses
  • CWE-1284

    Improper Validation of Specified Quantity in Input

  • CWE-20

    Improper Input Validation