CVE-2026-49218
Received Received - Intake
Heap Overflow in ImageMagick Due to Invalid DCM Dimensions

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, a missing check in the DCM decoder could result in an image with invalid dimensions and that could cause crashes in other operation. This issue has been patched in versions 6.9.13-48 and 7.1.2-24.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-49218
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
imagemagick imagemagick to 7.1.2-24 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in ImageMagick, a free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, there was a missing check in the DCM decoder component. This missing check could allow an image with invalid dimensions to be processed, which could cause crashes during other operations.

Impact Analysis

The vulnerability can cause crashes in ImageMagick when processing specially crafted images with invalid dimensions. This can lead to denial of service (DoS) conditions, potentially disrupting applications or services that rely on ImageMagick for image processing.

Mitigation Strategies

To mitigate this vulnerability, you should update ImageMagick to version 6.9.13-48 or later, or version 7.1.2-24 or later, where the issue has been patched.

Compliance Impact

The vulnerability in ImageMagick involves a missing check in the DCM decoder that can cause crashes due to images with invalid dimensions. This issue affects availability (denial of service) but does not impact confidentiality or integrity.

Since the vulnerability does not lead to data breaches or unauthorized data access, it does not directly affect compliance with data protection standards such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal or health data.

However, the potential for denial of service could indirectly impact system availability requirements under some regulations, depending on the context of use.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49218. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart