CVE-2026-48734 Overview
ImageMagick is open-source software for editing and manipulating digital images. CVE-2026-48734 is a stack overflow vulnerability triggered by processing a crafted Magick Vector Graphics (MVG) file. The flaw stems from a missing depth check or visited-set validation during recursive parsing, allowing uncontrolled recursion that exhausts the stack. The issue affects ImageMagick versions prior to 6.9.13-49 and 7.1.2-24. Exploitation requires a local user to open a malicious MVG file, resulting in a denial-of-service condition against the parsing process.
Critical Impact
A crafted MVG file can crash ImageMagick through unbounded recursion, producing a stack overflow and process termination [CWE-674].
Affected Products
- ImageMagick versions prior to 6.9.13-49 (6.x branch)
- ImageMagick versions prior to 7.1.2-24 (7.x branch)
- Applications and services embedding vulnerable ImageMagick libraries for MVG parsing
Discovery Timeline
- 2026-06-10 - CVE-2026-48734 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-48734
Vulnerability Analysis
The vulnerability resides in ImageMagick's MVG file parser. MVG is a vector graphics format that supports nested drawing primitives and grouped elements. Parsing these constructs relies on recursive function calls within the rendering pipeline. The parser lacks a depth limit or visited-node tracking when handling nested or self-referencing MVG structures. An attacker controlling the MVG content can force the parser into uncontrolled recursion, producing a stack overflow [CWE-674]. The resulting condition crashes the host process and denies image processing services to legitimate users.
Root Cause
The defect is a missing recursion guard. The MVG parsing routines do not enforce a maximum traversal depth, and they do not maintain a visited-set to detect cyclic references between drawing groups. When the parser encounters deeply nested or cyclic primitives, each call frame consumes additional stack space until the thread exhausts its stack allocation. The runtime terminates the process with a segmentation fault or stack guard violation.
Attack Vector
Exploitation requires local access and user interaction. An attacker delivers a malicious MVG file to a target who opens it with a vulnerable ImageMagick build, or who submits it to an application that invokes ImageMagick for conversion or rendering. Common attack channels include email attachments, shared file storage, and upload endpoints that hand MVG content to ImageMagick libraries. The vulnerability does not yield code execution or information disclosure; the documented impact is process crash and service disruption.
No verified public proof-of-concept code is available. See the GitHub Security Advisory GHSA-h36c-3666-h489 for upstream technical details.
Detection Methods for CVE-2026-48734
Indicators of Compromise
- Repeated crashes or core dumps from magick, convert, or library consumers when processing MVG inputs
- MVG files with deeply nested drawing primitives, recursive group references, or anomalous element counts
- Stack overflow signals (SIGSEGV with stack-related fault addresses) in system logs tied to ImageMagick processes
Detection Strategies
- Inspect file submissions for MVG content and validate nesting depth before passing files to ImageMagick
- Monitor process telemetry for abnormal termination of ImageMagick worker processes following MVG ingestion
- Correlate crash events with the originating user, upload source, and file hash to identify malicious samples
Monitoring Recommendations
- Enable core dump collection on systems running batch image processing to capture stack overflow evidence
- Alert on spikes in ImageMagick process restarts within container orchestrators or job schedulers
- Log MVG file submissions through web application gateways with file hashes and submitter attribution
How to Mitigate CVE-2026-48734
Immediate Actions Required
- Upgrade ImageMagick to version 6.9.13-49 or 7.1.2-24 or later across all systems
- Audit applications and container images that bundle ImageMagick libraries and rebuild against patched releases
- Restrict MVG processing on internet-facing services until patched versions are deployed
Patch Information
The ImageMagick maintainers fixed the issue in versions 6.9.13-49 and 7.1.2-24. The patch adds the missing depth check and visited-set validation to halt recursion before stack exhaustion. Refer to the GitHub Security Advisory GHSA-h36c-3666-h489 for commit references and release notes.
Workarounds
- Disable MVG coder support in policy.xml by adding a policy entry that denies the MVG coder
- Apply resource limits in ImageMagick policy to cap memory, map, and thread usage for parser processes
- Sandbox ImageMagick execution with restricted users, seccomp profiles, or containers to contain crashes
# Configuration example: disable the MVG coder in /etc/ImageMagick-7/policy.xml
<policymap>
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="resource" name="memory" value="256MiB" />
<policy domain="resource" name="map" value="512MiB" />
<policy domain="resource" name="thread" value="2" />
</policymap>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
