ImageMagick Vulnerable to Stack Overflow in its MVG Decoder · CVE-2026-48734 · GitHub Advisory Database · GitHub

ImageMagick Vulnerable to Stack Overflow in its MVG Decoder

Moderate severity GitHub Reviewed Published May 30, 2026 in ImageMagick/ImageMagick • Updated Jun 25, 2026

Package

Magick.NET-Q16-AnyCPU (NuGet)

Affected versions

< 14.14.0

Patched versions

14.14.0

Magick.NET-Q16-HDRI-AnyCPU (NuGet)

< 14.14.0

14.14.0

Magick.NET-Q16-HDRI-OpenMP-arm64 (NuGet)

< 14.14.0

14.14.0

Magick.NET-Q16-HDRI-arm64 (NuGet)

< 14.14.0

14.14.0

Magick.NET-Q16-HDRI-x64 (NuGet)

< 14.14.0

14.14.0

Magick.NET-Q16-HDRI-x86 (NuGet)

< 14.14.0

14.14.0

Magick.NET-Q16-OpenMP-arm64 (NuGet)

< 14.14.0

14.14.0

Magick.NET-Q16-OpenMP-x64 (NuGet)

< 14.14.0

14.14.0

Magick.NET-Q16-arm64 (NuGet)

< 14.14.0

14.14.0

Magick.NET-Q16-x64 (NuGet)

< 14.14.0

14.14.0

Magick.NET-Q16-x86 (NuGet)

< 14.14.0

14.14.0

Magick.NET-Q8-AnyCPU (NuGet)

< 14.14.0

14.14.0

Magick.NET-Q8-OpenMP-arm64 (NuGet)

< 14.14.0

14.14.0

Magick.NET-Q8-OpenMP-x64 (NuGet)

< 14.14.0

14.14.0

Magick.NET-Q8-arm64 (NuGet)

< 14.14.0

14.14.0

Magick.NET-Q8-x64 (NuGet)

< 14.14.0

14.14.0

Magick.NET-Q8-x86 (NuGet)

< 14.14.0

14.14.0

Description

A crafted MVG file could result in a stack overflow due to a missing depth or visited-set check.

References

dlemstra published to ImageMagick/ImageMagick

May 30, 2026

Published by the National Vulnerability Database

Jun 10, 2026

Published to the GitHub Advisory Database Jun 25, 2026

Reviewed Jun 25, 2026

Last updated Jun 25, 2026

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Local

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H