Skip to main content

Imagemagick EUVDEUVD-2026-22104

| CVE-2026-33901 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-04-13 GitHub_M GHSA-x9h5-r9v2-vcww
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:35 vuln.today
Patch released
Apr 14, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 13, 2026 - 21:00 euvd
EUVD-2026-22104
Analysis Generated
Apr 13, 2026 - 21:00 vuln.today
CVE Published
Apr 13, 2026 - 20:56 nvd
HIGH 7.5

DescriptionCVE.org

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

AnalysisAI

Heap buffer overflow in ImageMagick's MVG decoder enables network-based denial of service through crafted image files. Affects all ImageMagick versions prior to 6.9.13-44 and 7.1.2-19. CVSS 7.5 (HIGH) with remote unauthenticated exploitation (AV:N/PR:N), but EPSS score of 0.04% (11th percentile) indicates minimal observed exploitation probability. No active exploitation confirmed (not in CISA KEV), no public POC identified. Vendor-released patches available in versions 6.9.13-44 and 7.1.2-19, with upstream fix committed at 4c72003e9e54.

Technical ContextAI

ImageMagick is a widely deployed open-source image manipulation suite supporting over 200 image formats, commonly used in web applications, content management systems, and automated image processing pipelines. The MVG (Magick Vector Graphics) decoder parses vector graphic instructions embedded in image files. This vulnerability stems from a CWE-122 (Heap-based Buffer Overflow) in the MVG parsing logic, where insufficient bounds checking during crafted image processing allows writing beyond allocated heap memory boundaries. The flaw affects both the legacy 6.x branch (pre-6.9.13-44) and current 7.x branch (pre-7.1.2-19), indicating a longstanding issue in the MVG decoder implementation shared across major version lines. The vulnerability was reported through GitHub's security advisory mechanism and fixed in commit 4c72003e9e54, suggesting responsible disclosure.

RemediationAI

Upgrade ImageMagick to version 6.9.13-44 or later for the 6.x branch, or version 7.1.2-19 or later for the 7.x branch. Vendor-released patches are available through official distribution channels at https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19, with the specific security fix applied in commit 4c72003e9e54a4ebaa938d239e75f5d285527ebe. For Magick.NET users, upgrade to version 14.12.0 or later. If immediate patching is not feasible, implement defense-in-depth controls including disabling MVG/MSVG format support in ImageMagick's policy.xml configuration file (add rights='none' for pattern='MVG'), restricting image processing to trusted sources only, running ImageMagick processes in isolated containers with resource limits, and deploying application-layer input validation to reject MVG-formatted images. Monitor for abnormal memory consumption or crashes in ImageMagick processes as potential exploitation indicators. Consult the GitHub security advisory at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-x9h5-r9v2-vcww for additional vendor guidance.

CVE-2017-15277 MEDIUM POC
6.5 Oct 12

ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when proc

CVE-2016-5841 CRITICAL POC
9.8 Dec 13

Integer overflow in MagickCore/profile.c in ImageMagick before 7.0.2-1 allows remote attackers to cause a denial of serv

CVE-2016-3717 MEDIUM POC
5.5 May 05

The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files vi

CVE-2016-5118 CRITICAL
9.8 Jun 10

The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbit

CVE-2016-5689 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2016-5690 CRITICAL POC
9.8 Dec 13

The ReadDCMImage function in DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to

CVE-2016-5691 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2017-14138 CRITICAL POC
9.8 Sep 04

ImageMagick 7.0.6-5 has a memory leak vulnerability in ReadWEBPImage in coders/webp.c because memory is not freed in cer

CVE-2026-23876 CRITICAL POC
9.8 Jan 20

Heap buffer overflow in ImageMagick's XBM image decoder (ReadXBMImage) lets remote attackers write attacker-controlled d

CVE-2023-34152 CRITICAL POC
9.8 May 30

A vulnerability was found in ImageMagick. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2019-19952 CRITICAL POC
9.8 Dec 24

In ImageMagick 7.0.9-7 Q16, there is a use-after-free in the function MngInfoDiscardObject of coders/png.c, related to R

CVE-2018-14551 CRITICAL POC
9.8 Jul 23

The ReadMATImageV4 function in coders/mat.c in ImageMagick 7.0.8-7 uses an uninitialized variable, leading to memory cor

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed

Share

EUVD-2026-22104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy