CVE-2026-55594
Undergoing Analysis Undergoing Analysis - In Progress

Stack Overflow in ImageMagick via MVG Decoder

Vulnerability report for CVE-2026-55594, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, a missing depth check in the MVG decoder will result in a stack overflow when a crafted image is provided. This issue has been fixed in versions 6.9.13-51 and 7.1.2-26.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
image_magick image_magick to 6.9.13-51|end_excluding=7.1.2-26 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability in ImageMagick is caused by a missing depth check in the MVG decoder. When a specially crafted image is processed by vulnerable versions of ImageMagick (prior to 6.9.13-51 and 7.1.2-26), it can trigger a stack overflow.

The root cause involves uncontrolled resource consumption and uncontrolled recursion, which can lead to excessive memory or stack usage, ultimately causing the application to crash or behave unexpectedly.

Impact Analysis

Exploitation of this vulnerability can lead to a denial of service condition by causing the ImageMagick process to crash due to stack overflow.

Since the vulnerability requires no privileges or user interaction and can be exploited remotely over a network, attackers could disrupt services that rely on ImageMagick for image processing.

However, this vulnerability does not impact confidentiality or integrity, only availability.

Detection Guidance

This vulnerability arises from a missing depth check in the MVG decoder of ImageMagick versions prior to 7.1.2-26 and 6.9.13-51, which can lead to a stack overflow when processing specially crafted images.

To detect if your system is vulnerable, you can check the installed ImageMagick version using the command:

  • magick --version

If the version is older than 7.1.2-26 or 6.9.13-51, your system is vulnerable.

Additionally, monitoring for unusual crashes or stack overflow errors when processing MVG images may indicate exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade ImageMagick to version 7.1.2-26 or 6.9.13-51 or later, where the vulnerability has been fixed.

Until the upgrade can be applied, consider restricting or disabling processing of MVG image files from untrusted sources to prevent exploitation.

Also, monitor your systems for any unusual resource consumption or crashes related to image processing.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55594. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart