Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-55594

CVE-2026-55594: ImageMagick Buffer Overflow Vulnerability

CVE-2026-55594 is a buffer overflow flaw in ImageMagick's MVG decoder that causes stack overflow via crafted images. This article covers the technical details, affected versions, security impact, and mitigation strategies.

Published:

CVE-2026-55594 Overview

CVE-2026-55594 affects ImageMagick, the widely deployed open-source image manipulation library. The vulnerability originates from a missing depth check in the Magick Vector Graphics (MVG) decoder. A crafted image can trigger a stack overflow when processed by an unpatched ImageMagick installation. The flaw is classified under [CWE-400] uncontrolled resource consumption. Maintainers addressed the issue in versions 6.9.13-51 and 7.1.2-26.

Critical Impact

Attackers can supply a malicious MVG image to exhaust the process stack, causing the ImageMagick process to crash and producing a denial-of-service condition in any application that processes untrusted images.

Affected Products

  • ImageMagick versions prior to 6.9.13-51 (6.x branch)
  • ImageMagick versions prior to 7.1.2-26 (7.x branch)
  • Applications and services embedding vulnerable ImageMagick builds for image processing

Discovery Timeline

  • 2026-07-01 - CVE-2026-55594 published to the National Vulnerability Database
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-55594

Vulnerability Analysis

The defect resides in the MVG decoder, which parses ImageMagick's vector graphics format. The decoder recursively processes drawing primitives and grouped elements without enforcing a maximum recursion depth. An attacker who supplies a specially crafted MVG file with deeply nested structures forces the decoder to consume stack frames until the process exhausts its stack space. The result is a stack overflow that terminates the process handling the image.

Because the attack vector is network-reachable and requires no authentication or user interaction, any service that decodes user-supplied images with ImageMagick is exposed. The impact is limited to availability, since exploitation crashes the process rather than corrupting memory in a way that produces code execution. The EPSS value of 0.241% reflects a low near-term exploitation likelihood, but image-processing pipelines that fan out to many workers can amplify the disruption.

Root Cause

The root cause is the absence of a depth-limit guard in the MVG parsing routines. Without a bounded recursion counter or iterative parsing, malformed input controls the call depth. This maps to [CWE-400] because the attacker controls a resource — the call stack — that the application fails to constrain.

Attack Vector

Exploitation requires only that a vulnerable ImageMagick build decode an attacker-supplied MVG image. Common exposure paths include web upload endpoints, avatar and document processing services, email attachment scanners, and downstream conversion pipelines. The attacker delivers a crafted .mvg file — or an image container that references MVG content — and the decoder crashes on parse.

Verified exploit code is not publicly available. For technical detail on the fix, see the GitHub Security Advisory GHSA-mx48-2qq3-23hf.

Detection Methods for CVE-2026-55594

Indicators of Compromise

  • Repeated segmentation faults or SIGSEGV terminations in processes invoking convert, magick, or library calls to MagickCore
  • MVG files or images embedding MVG content received from untrusted sources shortly before worker crashes
  • Abnormal restart rates in image-processing worker pools without corresponding legitimate load

Detection Strategies

  • Inventory installed ImageMagick binaries and libraries and compare against fixed versions 6.9.13-51 and 7.1.2-26
  • Inspect image upload endpoints for MVG payloads or unusually deep nesting patterns in vector graphics inputs
  • Correlate application error logs with process supervisor restart events to surface crash-loop conditions

Monitoring Recommendations

  • Alert on core dumps or crash telemetry originating from ImageMagick worker processes
  • Track version metadata reported by magick -version across build and container images in CI pipelines
  • Monitor queue depth and worker restart counters in image-processing services for anomalies consistent with denial-of-service attempts

How to Mitigate CVE-2026-55594

Immediate Actions Required

  • Upgrade ImageMagick to 6.9.13-51 or 7.1.2-26 or later across all systems and container base images
  • Rebuild and redeploy applications that statically link or vendor ImageMagick libraries
  • Restrict inbound image formats at the application layer to those explicitly required by the workload

Patch Information

The ImageMagick maintainers released fixes in versions 6.9.13-51 and 7.1.2-26. The patch adds a depth check to the MVG decoder that halts parsing before recursion can exhaust the stack. Refer to the ImageMagick Security Advisory GHSA-mx48-2qq3-23hf for release notes and commit references.

Workarounds

  • Disable the MVG coder in the ImageMagick policy file until upgrades complete
  • Reject .mvg uploads and validate image MIME types before invoking the decoder
  • Run ImageMagick workers under strict resource limits and process supervisors that recover from crashes without cascading failure
bash
# /etc/ImageMagick-7/policy.xml — disable the MVG coder
# Add inside the <policymap> element:
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />

# Verify installed version meets the fixed release
magick -version | head -n1

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.