CVE-2026-28494
📋 TL;DR
A stack buffer overflow vulnerability in ImageMagick's morphology kernel parsing functions allows attackers to corrupt the stack by providing specially crafted kernel strings. This affects all systems running vulnerable versions of ImageMagick that process untrusted image files. Successful exploitation could lead to arbitrary code execution or denial of service.
💻 Affected Systems
- ImageMagick
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the ImageMagick process, potentially leading to full system compromise.
Likely Case
Denial of service through application crashes or limited code execution within the ImageMagick process context.
If Mitigated
Application crash with no further impact if proper sandboxing and privilege separation are implemented.
🎯 Exploit Status
Exploitation requires crafting malicious kernel strings, but no public proof-of-concept is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.1.2-16 or 6.9.13-41
Vendor Advisory: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-932h-jw47-73jm
Restart Required: Yes
Instructions:
1. Update ImageMagick to version 7.1.2-16 or 6.9.13-41. 2. Restart all services using ImageMagick. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable morphology operations
allRemove or disable morphology functionality in ImageMagick configuration
Edit policy.xml to remove morphology permissions
Sandbox ImageMagick
linuxRun ImageMagick in a restricted environment with limited privileges
Use seccomp, AppArmor, or SELinux to restrict ImageMagick
🧯 If You Can't Patch
- Implement strict input validation for all image processing operations
- Isolate ImageMagick processes in containers or VMs with network restrictions
🔍 How to Verify
Check if Vulnerable:
Check ImageMagick version with 'convert --version' or 'magick --version'Check Version:
convert --version | head -1Verify Fix Applied:
Verify version is 7.1.2-16 or higher (for version 7) or 6.9.13-41 or higher (for version 6)📡 Detection & Monitoring
Log Indicators:
- ImageMagick segmentation faults
- Unexpected process termination
- Stack overflow errors in application logs
Network Indicators:
- Unusual image upload patterns
- Requests with malformed image data
SIEM Query:
process_name:"convert" OR process_name:"magick" AND (event_type:crash OR exit_code:139)