CVE-2026-28494
Received Received - Intake
Stack Buffer Overflow in ImageMagick Morphology Kernel Parsing

Publication date: 2026-03-10

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28494
EUVD
EUVD-2026-10373
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick to 6.9.13-41 (exc)
imagemagick imagemagick From 7.0.0-0 (inc) to 7.1.2-16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-28494 is a high-severity stack buffer overflow vulnerability found in ImageMagick's morphology kernel parsing functions. It occurs when user-controlled kernel strings, such as long morphology kernel names or arrays, exceed the size of fixed-size stack buffers. These strings are copied into stack buffers using memcpy without proper bounds checking, which leads to stack corruption."}, {'type': 'paragraph', 'content': 'This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow) and affects versions of ImageMagick prior to 7.1.2-16 and 6.9.13-41.'}] [1]

Impact Analysis

The vulnerability can impact you by allowing an attacker to cause stack corruption, which can lead to modification of data or disruption of service integrity and availability.

According to the CVSS v3.1 score of 7.1, the attack requires local access and user interaction but no privileges, and it has a high impact on integrity and availability, though no impact on confidentiality.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade ImageMagick to a patched version that addresses the stack buffer overflow issue.

  • Upgrade to ImageMagick version 7.1.2-16 or later.
  • Alternatively, upgrade to ImageMagick version 6.9.13-41 or later if using the 6.x branch.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28494. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart