Fluid Attacks Database

Description

ImageMagick has a heap Buffer Overflow in ImageMagick MVG decoder A heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	imagemagick	=8:6.9.11.60+dfsg-1.6 \|\| =8:6.9.11.60+dfsg-1.6+deb12u1 \|\| =8:6.9.11.60+dfsg-1.6+deb12u2 \|\| =8:6.9.11.60+dfsg-1.6+deb12u3 \|\| =8:6.9.11.60+dfsg-1.6+deb12u4 \|\| =8:6.9.11.60+dfsg-1.6+deb12u5 \|\| =8:6.9.11.60+dfsg-1.6+deb12u6 \|\| =8:6.9.11.60+dfsg-1.6+deb12u7 \|\| =8:6.9.11.60+dfsg-1.6+deb12u8 \|\| >=0 <8:6.9.11.60+dfsg-1.6+deb12u9	8:6.9.11.60+dfsg-1.6+deb12u9
debian 14	imagemagick	=8:7.1.1.43+dfsg1-1 \|\| =8:7.1.1.46+dfsg1-1 \|\| =8:7.1.1.47+dfsg1-1 \|\| =8:7.1.1.47+dfsg1-2 \|\| =8:7.1.2.1+dfsg1-1 \|\| =8:7.1.2.12+dfsg1-1 \|\| =8:7.1.2.13+dfsg1-1 \|\| =8:7.1.2.15+dfsg1-1 \|\| =8:7.1.2.15+dfsg1-2 \|\| =8:7.1.2.16+dfsg1-1 \|\| =8:7.1.2.18+dfsg1-1 \|\| =8:7.1.2.3+dfsg1-1 \|\| =8:7.1.2.7+dfsg1-1 \|\| =8:7.1.2.8+dfsg1-1 \|\| >=0 <8:7.1.2.19+dfsg1-1	8:7.1.2.19+dfsg1-1
nuget	magick.net-q16-openmp-x64	>=0 <14.12.0	14.12.0
nuget	magick.net-q8-openmp-arm64	>=0 <14.12.0	14.12.0
nuget	magick.net-q8-openmp-x64	>=0 <14.12.0	14.12.0
debian 11	imagemagick	=8:6.9.11.60+dfsg-1.3 \|\| =8:6.9.11.60+dfsg-1.3+deb11u1 \|\| =8:6.9.11.60+dfsg-1.3+deb11u10 \|\| =8:6.9.11.60+dfsg-1.3+deb11u11 \|\| =8:6.9.11.60+dfsg-1.3+deb11u12 \|\| =8:6.9.11.60+dfsg-1.3+deb11u2 \|\| =8:6.9.11.60+dfsg-1.3+deb11u3 \|\| =8:6.9.11.60+dfsg-1.3+deb11u4 \|\| =8:6.9.11.60+dfsg-1.3+deb11u5 \|\| =8:6.9.11.60+dfsg-1.3+deb11u6 \|\| =8:6.9.11.60+dfsg-1.3+deb11u7 \|\| =8:6.9.11.60+dfsg-1.3+deb11u8 \|\| =8:6.9.11.60+dfsg-1.3+deb11u9 \|\| >=0 <8:6.9.11.60+dfsg-1.3+deb11u13	8:6.9.11.60+dfsg-1.3+deb11u13
debian 13	imagemagick	=8:7.1.1.43+dfsg1-1 \|\| =8:7.1.1.43+dfsg1-1+deb13u1 \|\| =8:7.1.1.43+dfsg1-1+deb13u2 \|\| =8:7.1.1.43+dfsg1-1+deb13u3 \|\| =8:7.1.1.43+dfsg1-1+deb13u4 \|\| =8:7.1.1.43+dfsg1-1+deb13u5 \|\| =8:7.1.1.43+dfsg1-1+deb13u6 \|\| =8:7.1.1.43+dfsg1-1+deb13u7 \|\| >=0 <8:7.1.1.43+dfsg1-1+deb13u8	8:7.1.1.43+dfsg1-1+deb13u8
nuget	magick.net-q16-anycpu	>=0 <14.12.0	14.12.0
nuget	magick.net-q16-hdri-anycpu	>=0 <14.12.0	14.12.0
nuget	magick.net-q16-hdri-openmp-arm64	>=0 <14.12.0	14.12.0

1-10 of 23

Aliases

1. CVE-2026-339012. NVD-2026-339013. OSV-DEBIAN-2026-339014. OSV-2026-339015. GHSA-x9h5-r9v2-vcww6. GCVE-2026-339017. SECURITY-TRACKER-CVE-2026-33901

References

1. https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-x9h5-r9v2-vcww2. https://github.com/ImageMagick/ImageMagick/commit/4c72003e9e54a4ebaa938d239e75f5d285527ebe3. https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-194. https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0