Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, a missing check in the DCM decoder could result in an image with invalid dimensions and that could cause crashes in other operation. This issue has been patched in versions 6.9.13-48 and 7.1.2-24.
Published: 2026-06-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick’s DCM decoder lacks a validation step that can produce an image with invalid dimensions. When such an image is processed, the missing check can trigger crashes in dependent operations, disrupting the availability of the software and any services that rely on it. The weakness is an input validation flaw, which is classified as CWE‑20.

Affected Systems

The affected product is ImageMagick from the ImageMagick project. Vulnerable builds are any versions earlier than 6.9.13‑48 and 7.1.2‑24. The security advisory confirms that these releases have been patched in 6.9.13‑48 and 7.1.2‑24 respectively.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower likelihood of widespread exploitation at present. The likely attack vector is the supply of a crafted DCM image through any interface that invokes the decoder, such as image upload endpoints or import functions. Exploitation would lead to a crash rather than arbitrary code execution, and no additional conditions are asserted in the advisory.

Generated by OpenCVE AI on June 10, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ImageMagick to version 6.9.13‑48 or later, or 7.1.2‑24 or later, as the replacement includes the missing validation check.
  • If an upgrade is not immediately feasible, configure the ImageMagick policy to disable the DCM decoder or restrict its use to trusted image sources.
  • Review custom applications that ingest images to ensure they validate image dimensions before processing and consider isolating image handling in a controlled environment.

Generated by OpenCVE AI on June 10, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, a missing check in the DCM decoder could result in an image with invalid dimensions and that could cause crashes in other operation. This issue has been patched in versions 6.9.13-48 and 7.1.2-24.
Title ImageMagick: Policy Bypass in DCM decoder could result in image with invalid dimensions
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T21:59:04.443Z

Reserved: 2026-05-28T03:42:34.341Z

Link: CVE-2026-49218

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T23:16:49.500

Modified: 2026-06-10T23:16:49.500

Link: CVE-2026-49218

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:30:44Z

Weaknesses
  • CWE-20

    Improper Input Validation