ImageMagick: Converting multi-layer nested MVG to SVG can cause DoS

Vulnerability

Overview

CVE-2026-24484 is a denial-of-service (DoS) vulnerability in ImageMagick, a widely used open-source image processing suite. The issue resides in the MVG (Magick Vector Graphics) to SVG (Scalable Vector Graphics) conversion path. Prior to versions 7.1.2-15 and 6.9.13-40 and 7.1.2-15, the software fails to properly validate or limit the depth of nested MVG layers during conversion, allowing an attacker to craft a malicious MVG file that triggers excessive resource consumption [2][4].

Exploitation

Details

An attacker can exploit this vulnerability by supplying a specially crafted MVG image containing deeply nested layers. When ImageMagick processes this file—either through direct command-line use or via an application that relies on the library—the conversion routine enters a state of uncontrolled recursion or resource allocation, leading to a denial of service. No authentication or special privileges are required; the attack can be triggered remotely if the application accepts user-uploaded images [4].

Impact

Successful exploitation results in a denial of service, causing the ImageMagick process to hang, crash, or consume excessive CPU and memory resources. This can disrupt services that depend on ImageMagick for image processing, such as web applications, content management systems, or automated image pipelines [2][4].

Mitigation

The vulnerability has been patched in ImageMagick versions 7.1.2-15 and 6.9.13-40. Users are strongly advised to update to these or later releases. For those unable to upgrade immediately, implementing a security policy that restricts or disables MVG conversion may serve as a temporary workaround [1][2][4].