CVE-2026-55594 Overview
CVE-2026-55594 affects ImageMagick, the widely deployed open-source image manipulation library. The vulnerability originates from a missing depth check in the Magick Vector Graphics (MVG) decoder. A crafted image can trigger a stack overflow when processed by an unpatched ImageMagick installation. The flaw is classified under [CWE-400] uncontrolled resource consumption. Maintainers addressed the issue in versions 6.9.13-51 and 7.1.2-26.
Critical Impact
Attackers can supply a malicious MVG image to exhaust the process stack, causing the ImageMagick process to crash and producing a denial-of-service condition in any application that processes untrusted images.
Affected Products
- ImageMagick versions prior to 6.9.13-51 (6.x branch)
- ImageMagick versions prior to 7.1.2-26 (7.x branch)
- Applications and services embedding vulnerable ImageMagick builds for image processing
Discovery Timeline
- 2026-07-01 - CVE-2026-55594 published to the National Vulnerability Database
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-55594
Vulnerability Analysis
The defect resides in the MVG decoder, which parses ImageMagick's vector graphics format. The decoder recursively processes drawing primitives and grouped elements without enforcing a maximum recursion depth. An attacker who supplies a specially crafted MVG file with deeply nested structures forces the decoder to consume stack frames until the process exhausts its stack space. The result is a stack overflow that terminates the process handling the image.
Because the attack vector is network-reachable and requires no authentication or user interaction, any service that decodes user-supplied images with ImageMagick is exposed. The impact is limited to availability, since exploitation crashes the process rather than corrupting memory in a way that produces code execution. The EPSS value of 0.241% reflects a low near-term exploitation likelihood, but image-processing pipelines that fan out to many workers can amplify the disruption.
Root Cause
The root cause is the absence of a depth-limit guard in the MVG parsing routines. Without a bounded recursion counter or iterative parsing, malformed input controls the call depth. This maps to [CWE-400] because the attacker controls a resource — the call stack — that the application fails to constrain.
Attack Vector
Exploitation requires only that a vulnerable ImageMagick build decode an attacker-supplied MVG image. Common exposure paths include web upload endpoints, avatar and document processing services, email attachment scanners, and downstream conversion pipelines. The attacker delivers a crafted .mvg file — or an image container that references MVG content — and the decoder crashes on parse.
Verified exploit code is not publicly available. For technical detail on the fix, see the GitHub Security Advisory GHSA-mx48-2qq3-23hf.
Detection Methods for CVE-2026-55594
Indicators of Compromise
- Repeated segmentation faults or SIGSEGV terminations in processes invoking convert, magick, or library calls to MagickCore
- MVG files or images embedding MVG content received from untrusted sources shortly before worker crashes
- Abnormal restart rates in image-processing worker pools without corresponding legitimate load
Detection Strategies
- Inventory installed ImageMagick binaries and libraries and compare against fixed versions 6.9.13-51 and 7.1.2-26
- Inspect image upload endpoints for MVG payloads or unusually deep nesting patterns in vector graphics inputs
- Correlate application error logs with process supervisor restart events to surface crash-loop conditions
Monitoring Recommendations
- Alert on core dumps or crash telemetry originating from ImageMagick worker processes
- Track version metadata reported by magick -version across build and container images in CI pipelines
- Monitor queue depth and worker restart counters in image-processing services for anomalies consistent with denial-of-service attempts
How to Mitigate CVE-2026-55594
Immediate Actions Required
- Upgrade ImageMagick to 6.9.13-51 or 7.1.2-26 or later across all systems and container base images
- Rebuild and redeploy applications that statically link or vendor ImageMagick libraries
- Restrict inbound image formats at the application layer to those explicitly required by the workload
Patch Information
The ImageMagick maintainers released fixes in versions 6.9.13-51 and 7.1.2-26. The patch adds a depth check to the MVG decoder that halts parsing before recursion can exhaust the stack. Refer to the ImageMagick Security Advisory GHSA-mx48-2qq3-23hf for release notes and commit references.
Workarounds
- Disable the MVG coder in the ImageMagick policy file until upgrades complete
- Reject .mvg uploads and validate image MIME types before invoking the decoder
- Run ImageMagick workers under strict resource limits and process supervisors that recover from crashes without cascading failure
# /etc/ImageMagick-7/policy.xml — disable the MVG coder
# Add inside the <policymap> element:
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
# Verify installed version meets the fixed release
magick -version | head -n1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

