Listen to this Post
ImageMagick is a widely deployed open‑source software suite for editing, converting, and manipulating raster and vector images across more than 200 formats. One of its supported vector formats is MVG (Magick Vector Graphics), an XML‑like language that describes geometric shapes, paths, and graphical objects. To render an MVG file, ImageMagick invokes the `RenderMVGContent` function, which parses the hierarchical structure of the document.
The MVG specification allows the definition of reusable graphical components through `
An attacker can craft a malicious MVG file that contains a chain of classes referencing each other in a deeply nested or circular manner. Because there is no depth counter, the decoder will follow these references indefinitely, each time pushing a new stack frame onto the call stack. The recursion continues until the stack memory is exhausted, leading to a classic stack overflow condition. This overflow corrupts adjacent stack memory, which can cause the application to crash (denial of service) or, under specific circumstances, allow an adversary to overwrite critical control data such as return addresses, potentially achieving arbitrary code execution.
The vulnerability is classified under CWE‑674: Uncontrolled Recursion. Its CVSS v3.1 base score is 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The attack requires local access and user interaction (e.g., opening a malicious file), but no privileges are needed, and the impact is primarily on availability.
The fix, applied in ImageMagick versions 6.9.13‑49 and 7.1.2‑24, introduces a `classDepth` counter that increments before each recursive call and checks it against a safe limit (MagickMaxRecursionDepth). If the depth exceeds this threshold, the recursion is terminated and a `VectorGraphicsNestedTooDeeply` error is raised, effectively breaking the infinite recursion path.
DailyCVE Form:
Platform: ……. ImageMagick
Version: …….. < 6.9.13‑49, < 7.1.2‑24
Vulnerability :…… Uncontrolled Recursion (CWE‑674)
Severity: ……. Moderate (CVSS 5.5)
date: ………. 2026‑06‑10
Prediction: …… 2026‑06‑25
What Undercode Say:
Check installed ImageMagick version convert --version For Debian/Ubuntu, list package version dpkg -l | grep imagemagick For RHEL/CentOS/Fedora rpm -qa | grep -i imagemagick Example of a vulnerable version output (before patch) Version: ImageMagick 6.9.11-60 Q16 x86_64 ...
After upgrading to a patched version, verify the fix convert --version Expected output for patched version: Version: ImageMagick 6.9.13-49 Q16 x86_64 ... or Version: ImageMagick 7.1.2-24 Q16 x86_64 ... For Magick.NET NuGet packages, check the project file Ensure Magick.NET-Q16-AnyCPU version >= 14.14.0 grep -E 'Magick.NET-Q16-AnyCPU' YourProject.csproj Should show <PackageReference Include="Magick.NET-Q16-AnyCPU" Version="14.14.0" />
Exploit:
A crafted MVG file exploits the missing depth check. The following pseudo‑MVG structure demonstrates the attack:
<svg> <defs> <class id="A"> <class id="B"/> </class> <class id="B"> <class id="A"/> </class> </defs> <use class="A"/> </svg>
When the decoder processes <use class="A"/>, it calls `RenderMVGContent` for class A. Inside class A, the reference to class `B` triggers another recursive call. Class `B` then references class `A` again, creating an endless cycle. Without a visited‑set or depth limit, this loop continues until the stack overflows. The attacker only needs to supply this file via an upload form or any image‑processing pipeline that accepts MVG input.
Protection:
- Upgrade ImageMagick to at least 6.9.13‑49 or 7.1.2‑24. These versions include the depth counter and termination logic.
- For Magick.NET users, update to version 14.14.0 or later (all relevant NuGet packages are affected:
Magick.NET-Q16-AnyCPU,Magick.NET-Q16-HDRI-AnyCPU, and all architecture‑specific variants). - Restrict or sanitize image uploads to block MVG files if an immediate upgrade is not possible.
- Disable the MVG decoder via ImageMagick’s policy.xml (e.g., set
<policy domain="delegate" rights="none" pattern="MVG" />) as a temporary workaround. - After upgrading, verify that the new binary is in use and that no deprecated or unsafe codecs remain enabled.
Impact:
- Denial of Service (DoS): The primary and most likely impact. A malicious MVG file causes the application to crash, disrupting services that rely on image processing (e.g., web uploads, batch converters, thumbnail generators).
- Potential Arbitrary Code Execution: In rare cases, stack corruption may overwrite return addresses or other control data, allowing an attacker to execute arbitrary code with the privileges of the process.
- No Confidentiality or Integrity Impact: The CVSS vector shows
C:N/I:N, meaning the vulnerability does not directly leak information or modify data. - Affected Ecosystem: All versions prior to the fixed releases are vulnerable, including numerous Linux distributions (Debian bullseye/bookworm, etc.) that ship older ImageMagick packages. The vulnerability is moderate in severity and has not been observed in active widespread exploitation as of the advisory date.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
