CVE-2026-28690

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow vulnerability exists in the MNG encoder. There is a bounds checks missing that could corrupting the stack with attacker-controlled data. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.

CVSS v3 6.9 MEDIUM

6.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.4 / Impact : 5.5

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7h7q-j33q-hvpf	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:imagemagick:imagemagick::::::::
	cpe:2.3:a:imagemagick:imagemagick::::::::

History

17 Jun 2026, 10:28

Type	Values Removed	Values Added
Summary		(es) ImageMagick es un software libre y de código abierto utilizado para editar y manipular imágenes digitales. Antes de las versiones 7.1.2-16 y 6.9.13-41, existe una vulnerabilidad de desbordamiento de búfer de pila en el codificador MNG. Faltan comprobaciones de límites que podrían corromper la pila con datos controlados por el atacante. Esta vulnerabilidad está corregida en las versiones 7.1.2-16 y 6.9.13-41.

11 Mar 2026, 17:32

Type	Values Removed	Values Added
First Time		Imagemagick Imagemagick imagemagick
References	~~() https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7h7q-j33q-hvpf -~~	() https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7h7q-j33q-hvpf - Vendor Advisory
CPE		cpe:2.3:a:imagemagick:imagemagick::::::::

10 Mar 2026, 07:43

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-10 07:43

Updated : 2026-06-17 10:28

NVD link : CVE-2026-28690

Mitre link : CVE-2026-28690

CVE.ORG link : CVE-2026-28690

JSON object : View

Products Affected

imagemagick

imagemagick

CWE

CWE-121

Stack-based Buffer Overflow

{"id": "CVE-2026-28690", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-28690", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T15:58:08.780047Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 5.5, "exploitabilityScore": 1.4}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 5.5, "exploitabilityScore": 1.0}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"status": "affected", "version": ">= 7.0.0, < 7.1.2-16"}, {"status": "affected", "version": "< 6.9.13-41"}]}]}], "published": "2026-03-10T07:43:44.127", "references": [{"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7h7q-j33q-hvpf", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow vulnerability exists in the MNG encoder. There is a bounds checks missing that could corrupting the stack with attacker-controlled data. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41."}, {"lang": "es", "value": "ImageMagick es un software libre y de c\u00f3digo abierto utilizado para editar y manipular im\u00e1genes digitales. Antes de las versiones 7.1.2-16 y 6.9.13-41, existe una vulnerabilidad de desbordamiento de b\u00fafer de pila en el codificador MNG. Faltan comprobaciones de l\u00edmites que podr\u00edan corromper la pila con datos controlados por el atacante. Esta vulnerabilidad est\u00e1 corregida en las versiones 7.1.2-16 y 6.9.13-41."}], "lastModified": "2026-06-17T10:28:54.933", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EFFB7C48-4211-4215-9C0B-D285B8E09CF1", "versionEndExcluding": "6.9.13-41"}, {"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "865783BD-5A33-4D05-AF99-E6EFE76414D1", "versionEndExcluding": "7.1.2-16", "versionStartIncluding": "7.0.0-0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}