ImageMagick affected by stack corruption through long morphology kernel names or arrays
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick morphology kernel parsing functions have a stack buffer overflow via user-controlled kernel strings copied without bounds checking, fixed in versions 7.1.2-16 and 6.9.13-41.
CVE-2026-28494 is a stack buffer overflow vulnerability in ImageMagick's morphology kernel parsing functions [2]. The root cause is that user-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, leading to stack corruption [4].
Exploitation requires an attacker to supply a long morphology kernel name or array [3]. The attack vector is network-based with low complexity, no privileges required, and no user interaction needed [4]. This makes the vulnerability remotely exploitable without authentication.
Successful exploitation can lead to stack corruption, potentially allowing an attacker to impact confidentiality, integrity, and availability of the system [4]. The advisory notes that the severity is high, with possible data access, modification, or service disruption [3].
The vulnerability is fixed in ImageMagick versions 7.1.2-16 and 6.9.13-41 [2]. The Magick.NET release 14.10.4 incorporates these fixes [3]. Users should update to these versions or apply the vendor-provided patches.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-x86NuGet | < 14.10.4 | 14.10.4 |
Affected products
2<7.1.2-16 and <6.9.13-41+ 1 more
- (no CPE)range: <7.1.2-16 and <6.9.13-41
- (no CPE)range: >= 7.0.0, < 7.1.2-16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-932h-jw47-73jmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28494ghsaADVISORY
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-932h-jw47-73jmghsax_refsource_CONFIRMWEB
- github.com/dlemstra/Magick.NET/releases/tag/14.10.4ghsaWEB
News mentions
0No linked articles in our index yet.