VYPR
← All advisories
High severity7.5NVD Advisory· Published Jun 10, 2026

CVE-2026-49218

CVE-2026-49218

Description

ImageMagick's DCM decoder has a vulnerability allowing invalid image dimensions, potentially causing crashes. Patched in 6.9.13-48 and 7.1.2-24.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ImageMagick's DCM decoder has a vulnerability allowing invalid image dimensions, potentially causing crashes. Patched in 6.9.13-48 and 7.1.2-24.

Vulnerability

ImageMagick versions prior to 6.9.13-48 and 7.1.2-24 contain a vulnerability in the DCM decoder due to a missing check. This flaw can lead to an image with invalid dimensions, which may cause crashes during other operations [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted image file to an ImageMagick instance. The vulnerability is present in the DCM decoder, and no specific privileges or user interaction are mentioned as requirements for exploitation in the available references [1].

Impact

Successful exploitation of this vulnerability can lead to denial-of-service conditions, manifesting as crashes within ImageMagick when processing the malformed image. The exact scope and privilege level of the impact are not detailed in the available references [1].

Mitigation

This vulnerability has been patched in ImageMagick versions 6.9.13-48 and 7.1.2-24. Users are advised to update to these fixed versions or later. No workarounds are mentioned in the available references [1].

References
  1. Policy Bypass in DCM decoder could result in image with invalid dimensions

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

1