CVE-2026-28494

CVE-2026-28494 is a stack buffer overflow vulnerability in ImageMagick, a free and open-source software suite for editing and manipulating digital images. The issue affects versions prior to 7.1.2-16 and 6.9.13-41, specifically in the morphology kernel parsing functions. User-controlled kernel strings that exceed the buffer size are copied into fixed-size stack buffers using memcpy without bounds checking, leading to stack corruption. This flaw is classified under CWE-121 (Stack-based Buffer Overflow) with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).

An attacker with local access to the system can exploit this vulnerability by providing a malicious image file containing oversized kernel strings in the morphology parameters. Exploitation requires user interaction, such as convincing a user to process the crafted image with ImageMagick via a command-line tool or script. Successful exploitation results in high-impact integrity and availability violations, including potential stack corruption that could enable code execution, denial of service, or modification of image processing results, though confidentiality is not affected.

The official ImageMagick security advisory on GitHub (GHSA-932h-jw47-73jm) confirms the vulnerability and states that it is fixed in versions 7.1.2-16 and 6.9.13-41. Security practitioners should update to these patched versions immediately and avoid processing untrusted images with vulnerable installations.