ImageMagick, Stack-buffer-overflow, CVE-2026-28690 (Moderate)

Listen to this Post

How the CVE Works:

The vulnerability is a stack buffer overflow in ImageMagick’s MNG encoder when processing a specially crafted image with an oversized palette. The issue arises from missing bounds checks in the encoder, allowing attacker-controlled data to corrupt the stack. Specifically, when encoding multi-frame images, the encoder fails to validate the size of the palette, leading to a write operation that exceeds the stack buffer. This can overwrite critical stack data, such as return addresses and local variables, potentially allowing an attacker to hijack control flow. The overflow is triggered when the encoder attempts to write palette data into a fixed-size stack buffer without checking the input size. The vulnerability was initially partially patched (GHSA-7h7q-j33q-hvpf), but the patch was incomplete, leaving the overflow possible in multi-frame scenarios. The issue is present in ImageMagick versions prior to 7.1.2-19 and 6.9.13-44. Exploitation can lead to denial of service or arbitrary code execution. The vulnerability was confirmed with AddressSanitizer, showing a stack-buffer-overflow write of size 1 at a specific address. This is a classic stack-based overflow, classified as CWE-121, and is rated as moderate severity.

DailyCVE Form:

Platform: ImageMagick
Version: <7.1.2-19, <6.9.13-44
Vulnerability: Stack buffer overflow
Severity: Moderate
Date: Apr 14, 2026

Prediction: Apr 14, 2026 (patched)

What Undercode Say:

Check ImageMagick version
identify -version
Test for vulnerability (requires a crafted MNG file)
Example: identify vulnerable.mng
Apply patch by upgrading to fixed version
sudo apt-get update && sudo apt-get install imagemagick=7.1.2-19
Disable MNG encoder as mitigation (policy.xml)
<policy domain="coder" rights="none" pattern="MNG" />

Exploit:

An attacker crafts a malicious MNG file with an oversized palette. When processed by an affected ImageMagick version, the MNG encoder writes beyond the stack buffer, corrupting the stack. This can overwrite the return address, allowing the attacker to redirect execution to arbitrary code. The exploit is local, requiring user interaction (e.g., opening the file), but can lead to arbitrary code execution.

Protection from this CVE:

  • Upgrade to ImageMagick versions 7.1.2-19 or 6.9.13-44, which include the complete patch.
  • Disable the MNG encoder by adding `` to policy.xml.
  • Avoid processing untrusted MNG files.
  • Run ImageMagick in a sandboxed environment to limit impact.

Impact:

  • Denial of service: The overflow can crash the application.
  • Arbitrary code execution: In severe cases, an attacker may execute arbitrary code with the privileges of the process. However, modern security features like ASLR and NX make exploitation more difficult, limiting impact to denial of service in many environments.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top